1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
Size

187KB
MD5

9fa50eca1b16eb78840fd1258c91a7f0
SHA1

6b8f49299e34269338b037d8f33f454219a62ace
SHA256

1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4
SHA512

3dcd9fa8a9ea3358513933bf3a8d02a0471c90ee94e9e1dc0c9009205d3f4c14aa3e9f0feacbbedfe75352ec38de714f5d1a77401a634e5491069a2281ad59d3
SSDEEP

3072:nerbWgA4TIIZ3igaGCmaVxAbzZSOwFz2JPrFkW/7fXbG3poBTJgAg1Ci/B8JE+7x:ner7TdcgaGlaHOLU4PrFkW/7frG3p6lQ

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (79) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	GQsEUYcI.exe

Executes dropped EXE 2 IoCs

pid	Process
3812	GQsEUYcI.exe
2924	TEUIooQU.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GQsEUYcI.exe = "C:\\Users\\Admin\\NsMkEoYM\\GQsEUYcI.exe"	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TEUIooQU.exe = "C:\\ProgramData\\nUQksUMI\\TEUIooQU.exe"	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GQsEUYcI.exe = "C:\\Users\\Admin\\NsMkEoYM\\GQsEUYcI.exe"	GQsEUYcI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TEUIooQU.exe = "C:\\ProgramData\\nUQksUMI\\TEUIooQU.exe"	TEUIooQU.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	GQsEUYcI.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	GQsEUYcI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2304	reg.exe
216	reg.exe
4624	reg.exe
3468	reg.exe
636	Process not Found
2872	reg.exe
3552	reg.exe
2736	reg.exe
4432	Process not Found
1460	reg.exe
2280	reg.exe
3112	reg.exe
3972	reg.exe
4456	reg.exe
5056	reg.exe
5076	Process not Found
840	reg.exe
4388	reg.exe
856	reg.exe
400	Process not Found
3012	reg.exe
2016	reg.exe
824	reg.exe
3592	reg.exe
4844	reg.exe
3060	reg.exe
2644	reg.exe
628	reg.exe
1268	reg.exe
2248	reg.exe
1964	reg.exe
4348	reg.exe
1464	Process not Found
448	Process not Found
5108	reg.exe
3552	reg.exe
3204	reg.exe
3828	reg.exe
2616	reg.exe
1668	reg.exe
2432	reg.exe
396	reg.exe
924	reg.exe
2348	reg.exe
664	reg.exe
652	reg.exe
216	reg.exe
2680	reg.exe
1240	reg.exe
2152	reg.exe
1540	reg.exe
5048	reg.exe
384	reg.exe
2308	reg.exe
4604	reg.exe
4972	reg.exe
1112	reg.exe
2492	reg.exe
2736	reg.exe
1104	Process not Found
4908	reg.exe
3708	reg.exe
2640	reg.exe
2228	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
4828	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
4828	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
4828	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
4828	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
4624	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
4624	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
4624	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
4624	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
4516	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
4516	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
4516	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
4516	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
2280	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
2280	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
2280	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
2280	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
4104	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
4104	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
4104	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
4104	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
4572	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
4572	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
4572	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
4572	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
2064	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
2064	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
2064	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
2064	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
396	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
396	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
396	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
396	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
2552	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
2552	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
2552	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
2552	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
1616	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
1616	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
1616	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
1616	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
944	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
944	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
944	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
944	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
2232	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
2232	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
2232	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
2232	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
4512	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
4512	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
4512	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
4512	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
2840	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
2840	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
2840	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
2840	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
1020	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
1020	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
1020	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
1020	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3812	GQsEUYcI.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe
3812	GQsEUYcI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 3812	208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	82
PID 208 wrote to memory of 3812	208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	82
PID 208 wrote to memory of 3812	208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	82
PID 208 wrote to memory of 2924	208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	83
PID 208 wrote to memory of 2924	208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	83
PID 208 wrote to memory of 2924	208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	83
PID 208 wrote to memory of 3700	208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	84
PID 208 wrote to memory of 3700	208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	84
PID 208 wrote to memory of 3700	208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	84
PID 3700 wrote to memory of 4828	3700	cmd.exe	86
PID 3700 wrote to memory of 4828	3700	cmd.exe	86
PID 3700 wrote to memory of 4828	3700	cmd.exe	86
PID 208 wrote to memory of 2276	208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	87
PID 208 wrote to memory of 2276	208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	87
PID 208 wrote to memory of 2276	208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	87
PID 208 wrote to memory of 3716	208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	88
PID 208 wrote to memory of 3716	208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	88
PID 208 wrote to memory of 3716	208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	88
PID 208 wrote to memory of 3696	208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	89
PID 208 wrote to memory of 3696	208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	89
PID 208 wrote to memory of 3696	208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	89
PID 208 wrote to memory of 3868	208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	90
PID 208 wrote to memory of 3868	208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	90
PID 208 wrote to memory of 3868	208	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	90
PID 3868 wrote to memory of 1112	3868	cmd.exe	95
PID 3868 wrote to memory of 1112	3868	cmd.exe	95
PID 3868 wrote to memory of 1112	3868	cmd.exe	95
PID 4828 wrote to memory of 1964	4828	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	96
PID 4828 wrote to memory of 1964	4828	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	96
PID 4828 wrote to memory of 1964	4828	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	96
PID 1964 wrote to memory of 4624	1964	cmd.exe	98
PID 1964 wrote to memory of 4624	1964	cmd.exe	98
PID 1964 wrote to memory of 4624	1964	cmd.exe	98
PID 4828 wrote to memory of 3584	4828	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	99
PID 4828 wrote to memory of 3584	4828	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	99
PID 4828 wrote to memory of 3584	4828	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	99
PID 4828 wrote to memory of 2068	4828	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	100
PID 4828 wrote to memory of 2068	4828	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	100
PID 4828 wrote to memory of 2068	4828	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	100
PID 4828 wrote to memory of 2192	4828	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	101
PID 4828 wrote to memory of 2192	4828	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	101
PID 4828 wrote to memory of 2192	4828	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	101
PID 4828 wrote to memory of 228	4828	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	102
PID 4828 wrote to memory of 228	4828	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	102
PID 4828 wrote to memory of 228	4828	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	102
PID 228 wrote to memory of 4312	228	cmd.exe	107
PID 228 wrote to memory of 4312	228	cmd.exe	107
PID 228 wrote to memory of 4312	228	cmd.exe	107
PID 4624 wrote to memory of 252	4624	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	108
PID 4624 wrote to memory of 252	4624	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	108
PID 4624 wrote to memory of 252	4624	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	108
PID 252 wrote to memory of 4516	252	cmd.exe	110
PID 252 wrote to memory of 4516	252	cmd.exe	110
PID 252 wrote to memory of 4516	252	cmd.exe	110
PID 4624 wrote to memory of 3228	4624	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	111
PID 4624 wrote to memory of 3228	4624	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	111
PID 4624 wrote to memory of 3228	4624	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	111
PID 4624 wrote to memory of 2644	4624	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	112
PID 4624 wrote to memory of 2644	4624	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	112
PID 4624 wrote to memory of 2644	4624	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	112
PID 4624 wrote to memory of 3828	4624	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	113
PID 4624 wrote to memory of 3828	4624	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	113
PID 4624 wrote to memory of 3828	4624	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	113
PID 4624 wrote to memory of 976	4624	1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe	114

C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
"C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:208
- C:\Users\Admin\NsMkEoYM\GQsEUYcI.exe
  "C:\Users\Admin\NsMkEoYM\GQsEUYcI.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3812
- C:\ProgramData\nUQksUMI\TEUIooQU.exe
  "C:\ProgramData\nUQksUMI\TEUIooQU.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
    C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4624
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:252
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        8⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        12⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        14⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        16⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        18⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        20⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        24⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        25⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        26⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        28⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        30⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        32⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        33⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        34⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        35⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        36⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        37⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        38⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        39⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        40⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        41⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        42⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        43⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        44⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        45⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        46⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        47⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        48⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        49⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        50⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        51⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        52⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        53⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        54⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        55⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        56⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        57⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        58⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        59⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        60⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        61⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        62⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        63⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        64⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        65⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        66⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        67⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        68⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        69⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        70⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        72⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        73⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        74⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        75⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        76⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        77⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        79⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        80⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        81⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        82⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        83⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        84⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        85⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        86⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        87⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        88⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        89⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        90⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        91⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        92⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        93⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        94⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        95⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        96⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        97⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        98⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        99⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        100⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        101⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        102⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        103⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        104⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        105⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        106⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        107⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        108⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        109⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        110⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        111⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        113⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        114⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        115⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        116⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        117⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        118⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        119⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        120⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        121⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        122⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        123⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        124⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        125⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        127⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        128⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        129⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        130⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        131⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        132⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        133⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        134⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        135⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        136⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        137⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        138⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        139⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        140⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        141⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        142⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        143⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        144⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        145⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        146⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        147⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        148⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        149⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        150⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        151⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        152⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        153⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        154⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        155⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        156⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        157⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        158⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        159⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        160⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        161⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        162⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        163⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        164⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        165⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        166⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        167⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        169⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        170⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        171⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        172⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        173⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        175⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        176⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        177⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        178⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        179⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        180⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        181⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        182⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        183⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        184⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        185⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        186⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        187⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        188⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        189⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        190⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        191⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        192⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        193⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        195⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        196⤵
        
        PID:4456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        197⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        198⤵
        
        PID:1520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        199⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        200⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        202⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        203⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        204⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        205⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        206⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        207⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        208⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        209⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        210⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        211⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        212⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        213⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        214⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        215⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        216⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        217⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        218⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        219⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        220⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        221⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        222⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        223⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        224⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        225⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        226⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        227⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        228⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        229⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        230⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        231⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        232⤵
        
        PID:936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        233⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        234⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        235⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        236⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        237⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        238⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        239⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        240⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        241⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        242⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        243⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        244⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        245⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        246⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        247⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        248⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        249⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        250⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        251⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        252⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        253⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        254⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        255⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        256⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        257⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        258⤵
        
        PID:3496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        259⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        260⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        261⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        262⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        263⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        264⤵
        
        PID:824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        265⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        266⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        267⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        268⤵
        
        PID:1556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        269⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        269⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        270⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        271⤵
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        272⤵
        
        PID:1268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        273⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        273⤵
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        274⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        275⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        276⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        277⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        278⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        279⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N"
        280⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N
        281⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        280⤵
        Modifies visibility of file extensions in Explorer
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        280⤵
        Modifies registry key
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        280⤵
        Modifies registry key
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IskQYkQM.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        280⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        278⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        278⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        278⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QowkocQg.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        278⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        279⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        276⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        276⤵
        
        PID:2248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        277⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        276⤵
        UAC bypass
        
        PID:2160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        277⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiMoIIYg.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        276⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        277⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        274⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        274⤵
        
        PID:3468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        275⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        274⤵
        
        PID:5056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        275⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NKMoEEIs.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        274⤵
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        275⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        272⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        272⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        272⤵
        UAC bypass
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkIokUEU.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        272⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        273⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        270⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        270⤵
        UAC bypass
        
        PID:1104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        271⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWYogAco.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        270⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        271⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        269⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        Modifies registry key
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScMYoUkk.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        268⤵
        
        PID:4016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        269⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        269⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        Modifies registry key
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKEsgoAs.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        266⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        267⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQAUwsMs.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        264⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGAwIgoE.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        262⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        UAC bypass
        
        PID:3732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqUkAkcc.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        260⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:4540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        UAC bypass
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGkMcMMg.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        258⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcwQYMIA.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        256⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIsksMYk.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        254⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        Modifies registry key
        
        PID:3060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uqUcgccQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        252⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:4344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCAwsQwQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        250⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        Modifies registry key
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        UAC bypass
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkQAEwoU.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        248⤵
        
        PID:4044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAYgQAME.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        246⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        Modifies registry key
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOIYkYok.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        244⤵
        
        PID:3764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gaEokgAM.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        242⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:2276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWUYkwoI.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        240⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        Modifies registry key
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sccoooYs.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        238⤵
        
        PID:3612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        
        PID:2036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqwcUowA.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        236⤵
        
        PID:2956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGgsEQYM.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        234⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYYcoMME.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        232⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:4428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GuUkgQEc.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        230⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYMcYIUI.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        228⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\joEAgoks.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        226⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        
        PID:4540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQwEoEUk.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        224⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKcsMwwM.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        222⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAcMAskw.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        220⤵
        
        PID:5008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EckkQoMw.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        218⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        Modifies registry key
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAgIIQos.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        216⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:3708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PkgYkwIU.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        214⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\recYckgA.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        212⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hycwkAQU.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        210⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:3004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lcskogcc.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        208⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        Modifies registry key
        
        PID:664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WyYcYkQU.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AscQIcYw.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        204⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:3632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEskUUoA.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        202⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEkEkIIU.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        200⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmIIEUcQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        198⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMYMUYoA.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        196⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKoUMAcI.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        194⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyIEkooQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        192⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkskcgEg.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        190⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmoYYQEg.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        188⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        Modifies registry key
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niUUoYAU.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        186⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies registry key
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        Modifies registry key
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSIUkUcA.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        184⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        Modifies registry key
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DGYwYAMw.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        182⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAYEgIIo.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        180⤵
        
        PID:4600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:1484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCUMwgUw.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        178⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqkcgcsE.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        176⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies registry key
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iowYoEQU.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        174⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOkYkgkk.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        172⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies registry key
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYIwYkMk.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        170⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYUIwIAc.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        168⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies registry key
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSIAQgUI.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        166⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OyQcgwwE.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        164⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOAsYMEk.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        Modifies registry key
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WowQsAAw.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        160⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        Modifies registry key
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IaMUYAkE.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        158⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hecUowkI.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        156⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGQAQAQE.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        154⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\liAgAMEo.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        152⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EewIEEow.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        150⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGQoMAgU.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        148⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akcEwsEw.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        146⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMMUAsQs.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        144⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tswMsMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        142⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HaEQkkYY.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        140⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        Modifies registry key
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tEskcIAY.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        138⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMQsIEwA.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        136⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QoMEYMQA.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        134⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYQcUgoo.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        132⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        Modifies registry key
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAMgYMgE.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        130⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkQAMkYI.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        128⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xCIcMcUY.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        126⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies registry key
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HakIskcY.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        124⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies registry key
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IGIUoQwU.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        122⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKcwEcQI.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        120⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYUkIgUg.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        118⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deAwMIAU.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        116⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAggooUI.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        114⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juUYwAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        112⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dscsowkk.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        110⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        Modifies registry key
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YewMksYM.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        108⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwosgQcg.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        106⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WsYcUMAs.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        104⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEkAEIsA.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        102⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCIEUMIY.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        100⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwkMIgME.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        98⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DiMcwYEI.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        96⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywUAMYAc.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        94⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WskcoEMI.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EIogoogM.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        90⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSsMYAkA.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        88⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies registry key
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XoYQkcsM.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        86⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaYsIMww.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        84⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgAIYEoI.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        82⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EookQYQo.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        80⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\easoYIoA.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        78⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aakQcYsw.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        76⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zgkgogkw.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        74⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lsUYQEgM.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        72⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jowAUsUU.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        70⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGwQwgYw.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiIcsgUQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        66⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iuMosQkc.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        64⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMcIsIkw.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        62⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecIEgYAY.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        60⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BiYUAosk.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        58⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKQkgscc.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        Modifies registry key
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkQMIwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        54⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UykUoEQU.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        52⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAgAUwEE.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        50⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSMgIoEU.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        48⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOcgMAMM.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        46⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies registry key
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIYwsQwQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        44⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOsgQYQM.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        42⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmwsYwQk.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        40⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGMgIAkA.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        38⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqIoMIgA.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        36⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMkMMkIw.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        34⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\weUMAUws.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        32⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LecsQQQA.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        30⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEwkIEgY.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        28⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCEQYQUY.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        26⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies registry key
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWQMUsEM.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        24⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        Modifies registry key
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkswoQok.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        22⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqYsoEoU.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        20⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQwIgAEU.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        18⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUQoooMA.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        16⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\duoYIIMs.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        14⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSAUwIks.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKMUcsgM.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        10⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kasQgEUg.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        8⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3212
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3228
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2644
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:3828
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIIcIEoM.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3648
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3584
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2068
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\osYgAUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:228
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4312
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2276
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3716
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSEAowoI.bat" "C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
246KB

MD5
98d2126886f63e9e7dc8431535966ef4

SHA1
1abce0c9b3f1d32b5385e6dbdff309166c8dbef0

SHA256
42c8a0dc189760ed523c486271569dfcfa099d86536fe4e94b3a0f4b8b0a4bba

SHA512
d7f5d665b408ab414fdf529a94555656318314633c7b479185fa8ff889939dd458c3050c7c863cddcbb5d2f750a82b38f7f11bf0ad8eae6859129b4224973e16

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
230KB

MD5
90a5a69c3df40fff3dffbc4745eceb58

SHA1
a150d2f298bd1258dc46e3db3048b73311e15ad1

SHA256
f64dcb1cc86eb2c2b100a065feb781c38e85949a7259eeac82416cb216a1121a

SHA512
d334e2f0b2fdfc06e73e5500787d8e6b653fe6036221363afb87e9456f6bb7197af66dc7ca8f0ab6a6f340bdcf5f436d401dbf18b4756d834ecb1bb5bd432e33

Download Submit
C:\ProgramData\nUQksUMI\TEUIooQU.exe

Filesize
203KB

MD5
7aab574697101781c035a7b2d4e5a98f

SHA1
3a787ada3de388c5c53222d31f723721595ff788

SHA256
7cd68344ec027e1d9360e97a088ff0c67870197f7cb994e6b9322d409524bf39

SHA512
6ee087ab844091d5dfa7c65ef088e1ebae61e80c80325222dfb35cc683a6daaadc205fde07423917f9b7c9fd604ae49f5598aded67aaae4b1a2c10150b9b5da7

Download Submit
C:\ProgramData\nUQksUMI\TEUIooQU.inf

Filesize
4B

MD5
012ed2f701840111fb276d80cd23eca8

SHA1
4c08f01dc4711af9a3e48b34bf5e161eb1aa2f7f

SHA256
b7f4b640f66fcb1e69e0ff4988a24d5ed5683ef0f103a59541d3e0200f5e9015

SHA512
0708a7b11a771f223c98021bcad4dcbecfbb87b72a435a150f4b690f1b38e61ef68791faa119245343023d08c4480550b31b8ec6507183054b4b893370052448

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe

Filesize
199KB

MD5
1be09932348a03cbfb05f6010187499c

SHA1
5bc93a4d9b02271c1f49397d5b18dff3e595c103

SHA256
4dd6fa09d4da68d99ffe1709dcfd8ea53bd2004a9bcee4e2294da4364a6598f3

SHA512
b5379ff79cc8b381ec07fe69e81a232baf1301c5026bd7d95b87bf6f285790485804e446afc6f39eb577a5e08a1899ce5445e9557bf46ad8cee3454ec5900dc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

Filesize
192KB

MD5
01c3b44787387a009bf7c6c1c610fbe8

SHA1
1ebeba05bc675930f438682dce8ca0536e17ed0c

SHA256
153b3ee4ac4f31d025c33f5447ce9f1c39d65ba6caffda4436e26d3bb774fbb3

SHA512
91c55f090f52883b8873c8eb202c2940bb2acf9b5422aef66b255f77b37c3b34ff152b24ab2f25a4fd80d006ee673b66861ce5a9e0303c2f7be4e55b0a348a40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

Filesize
564KB

MD5
46811391eb64cdaa107730c25e58d80e

SHA1
cf9ec3452ecbe08fea9fe537bcf495e6c697c4a2

SHA256
159055335ff8a69d5228a69074bedb89b90024048afaef6f8bc194f196282372

SHA512
bc469a5fac609e5cb70e309a1e6bb7c6d593ded6354d43904df37d1990a916aab67f12a528a1057c709e7b9bbdb8ed6cb1ca59647786bfdfa0e1f44b14bae503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

Filesize
189KB

MD5
3c6a06535b983c54023d138db1b49d03

SHA1
1cc48ebc8b4900a39905b0a56db8f9bba4c1077b

SHA256
10e760dc4888394f4c6df4ad56b52ae1190e403bc0d15acc18876f9dc9cfdea8

SHA512
c9b89debcfdf434d1fcbb36abdb56e4082be1a26519708fc9312a0145fbcb4b62480af5d809e0f95de8b13f2e6960220deafb83ecf2cd77a5d3dcae4ab87cdc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a48fbfdf666cb0452c41f5dfde50661652be9e8fceb6dbec50a52c937b5f1e4N

Filesize
6KB

MD5
bdf926b971c6dacb62c5c764b548f850

SHA1
daf9c28f324a1b0d9886021ad63d84b468cbac20

SHA256
8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda

SHA512
cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEoS.exe

Filesize
227KB

MD5
0e5b9786258e62e42d577dda3b8bbd60

SHA1
2aaa0079301f07bfed0ff7021a3bc1dd9a74c671

SHA256
6a0594499d78777cb9d31f126b6fa0d81380a6cbf79f4af0c84c7acfd4c6b237

SHA512
baf912d5ff21521156fd0f5f78269f1c2a81d46f9ad411923b9ca91c2c822a6bb6689a802876523d353d247987ff1f4383683e6b789d9ad749af5056364a6eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMgK.exe

Filesize
571KB

MD5
96b2d86e0792ef9e8d5fc766db745801

SHA1
ec66df5877dfa78ad3cee640730ab30f205eead1

SHA256
262916b12277b2313f286d6224cc507f49165e180c96da074f5855fc4183af06

SHA512
411038c2529c59a7e2c8d3fe6675fe75afb5b18bfb20eaed0691527beef8b2b53e423d0a646f32ff4a4aa4dcb570eeaeb2c0d5c91196d442cafa487a036e0bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQAk.exe

Filesize
780KB

MD5
7087925d4648392a3afeeff9a9705801

SHA1
36b87bdfaafc18f40ea7c64855f618a85af5ec26

SHA256
bb2ae18402cc88beef3d8568c71ff6ce55a52f23dff0bb07c362ba01b794df0c

SHA512
d2f6a061848dbed480fa7f1862e8996c3093e6747a4fac77a61bc4a0ed4684f2140bdd4c6de60e9669415af24b2b0c363c499b813c78433e427272a746fab8dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgQU.exe

Filesize
202KB

MD5
66b9c374e89e0e82c82ea1e677dda1d3

SHA1
69faac3f885d773abeceb967d0bb9ca8b0682a6d

SHA256
0bf86d53d6128264cf41a9decee607e86ad168b621e8ef124551060db7981f25

SHA512
01854e7b41eefaedef6dd676a7a1a4ab4df266da97d97b19d6e72a07cf71c9d97417916afbb8e46532d0bbb88bebd327182822050faed422d484f07702f5b280

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsAU.exe

Filesize
207KB

MD5
450e8527079ffae01e26f2960505c4f7

SHA1
9f0017c887369e987e7f383a5ed8af9184ab2cad

SHA256
b2c2e216de4bfc50880798e7cec06bd9a181d2ffbab909808bcd797e6e261540

SHA512
3bd5c42302299d5d74d8b18ad03b03879bf3cef4b937967dac84bfd287de2db268cfe5a81a50a90d3915b7547a16c35c32222b6c68eb1674611c118eca05cff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Askg.exe

Filesize
213KB

MD5
fcbd7da916c8d0bf44e738237c1e0376

SHA1
7ceadfdf19def3bca1b0c438d861450261278855

SHA256
8ef03a9a5d9746067336ee5015875bbd6e679114d0c0634bba1487db6a33313a

SHA512
4d558f8c88f2e750894475436ef8ec115d385a96764298581d5e2faf0f05d1b38922836da0c12611888fdee0dfd72c0fb30e6e1fda93b3f0c13f7b7465b4800f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIgw.exe

Filesize
196KB

MD5
dc66a81115ac60e449cc16a87d68a760

SHA1
199c4abb3f41a4eea272a767fa2a80fdf6344877

SHA256
1479f25500aabce0a69abac7d79ab4d80ce473fa0e84aafe7278f09b5c244f06

SHA512
7b9d64fb551d44fd467270bc722479aa905ece3debd327d375bc7505574dff0819bbc6f0d71d03c43a7dcf7ef6f22af8ebb3894ed201d4bbf8c7eaf328bea72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIsY.exe

Filesize
790KB

MD5
d4d737d968e5cf76df9e2272ee4c6425

SHA1
e41ed1d92f9900cc4c1e183dac68b70b7a026883

SHA256
29e5e1162dd99358572de6fce4e05fef0d2546e9b4ca9dff20f19c296f13c054

SHA512
97ffb1f62dd6fe4059e52d46a4822598946f778af7c6ebc7995087826cf44c6dbcbec63f1ebee5df3ba775c5a837c3b5bfcf0a88bcc3a0ca4adb3f9e103444ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMMk.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYMM.exe

Filesize
311KB

MD5
f57f003f761667951c09f9b2684ed0f1

SHA1
c48676489af7c1adbf2f7882425cfa9178386ba0

SHA256
868fa874766cb229bd155ceb6eaa63bc43df1bb07acaed771f00ba293ca5ac3e

SHA512
10f726f739a060d8eb80ee0ebf29567f32fbc88cc42f780fed4761f34ec63b16fb286971929a3d35f5e941c8baadc80fdfd946701001550fba563fb1e95c7a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcsW.exe

Filesize
641KB

MD5
cf442436220798d511363baeaff83b41

SHA1
7212626bda02395d445e0bf96db9e30e7941e065

SHA256
39e305b4332f1583b697ce32d32cca116927dd933d2d0e1697c4bbd7387c9d69

SHA512
4a03d4c67f5f47d35197de099fa0b1175f884ab737f637e27d3cd4f4bdf803461baf63b18ed2d6ea42ede08953a56829d00c7670c436a80deae54c4a664a9472

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcEE.exe

Filesize
325KB

MD5
0e5e068318219fff26842b40744343b6

SHA1
11b2df1e3e90112762bce6204184edfbf28f6dbd

SHA256
f5909bb216b31358ef4c4796c2773cd69de159b41d7d84ae5edc818f4b7eee80

SHA512
5fbb181b27bcceefa69043961c247d6bcac1e5c9f7bda84d23507ef1ff8667a4cafa2bb4d62522d2514a7b16b3432ded933d87826d04e953d62e0e2b26b2ec4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eocy.exe

Filesize
205KB

MD5
2efe103f078e1eb0dc989e00931d5c56

SHA1
c65c714a2f97abef7806831677ea6e1a075a269b

SHA256
4cbac2993aece454f61eab10a01ae43fd07227417b438398ccb764542b60ef1f

SHA512
962c4884d6180c6fe017f1e3486ada35c9c5a19b7fc7ab496e7bd4ece9422373f0db8b417ddf0f3187d637020137e0effb561c501373a5ab33a98f569f3396cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYAq.exe

Filesize
807KB

MD5
0a1242c50632ddf0b58e9e87085dac74

SHA1
4b0dabd0ba529ce65bfb72c651e81db382349a41

SHA256
83b61cab9d59d01385c2a2353174be53221322643d458f06fe4176ea5d5ab17c

SHA512
6d3ae712f31f5ef61450494793597c6b5c7a3f109423dc175b0ef9d6230b26b524969c0791b66490a544bb47536f44ed865ad416465cac58b49de7f59fc7fcb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYEE.exe

Filesize
202KB

MD5
39805fe10fcd5e8c31f5e8087ca395a9

SHA1
406b6a58df23cc2191724dcd93d924c4b1169223

SHA256
dcde1642f9613859a376eb5acb9e735f05f5a2666d686ee168469e0d146cf43d

SHA512
8562fcc7cede4b5d46d9bf0acecaf30a7be65af40b9d53a5f9df852bb8141657f3dd46d9376bf319cf19be1c905127ab2b8016cd6388b537665171e063be0714

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYIw.exe

Filesize
192KB

MD5
79044accd97ade2bb57be48c8ae5f827

SHA1
9ce5a722a14ecc575b3c85b98d086b5984dda005

SHA256
b7431957ec27142879fe5fa4a46236ceccb14e0228b7f9d6216305e3a3a02313

SHA512
7c0f0d1557d06f14beb9e36abc2423ac62d74fd737a52ee4772fdc7cd34eca6ba0d79ed12680e05b7ea1c7ad8c47d2169c51692c825c29c4ee2aff761fb8dc1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcwI.exe

Filesize
567KB

MD5
02abf04213ff545e09d692e92648577a

SHA1
f664395d90c9a5ee93eb3ae659c6bc962175f3e2

SHA256
3877ce0dc9e4ac286e3a74f84517daca71ba955e48aab46f75cd9029529728ee

SHA512
6531d36f569a9dbffe3342e444715fe7fed495f0db42cfffc8154d1c8b6830c1f81e596591ed7549ceaecaf325d8bb7eb0a40028571de16e0979699bc3b76207

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gwga.exe

Filesize
189KB

MD5
9b5521a5a5e60b7814d5fabed267bde1

SHA1
b455d293fd5971a393f7f363916a5fd45c335168

SHA256
a330b928c6fe50f2a472945c711cf43da42f13da50965e78f7f12e42031238f5

SHA512
12cd6e9d74cfac67da5614cfec775cbb6a7e4ef2dc74da4f41cb4f429cdf9001c17fbb7c96551e083ca72da4fc2852d1e4effb7d9c85b39c6da1cd42d8b05b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAoG.exe

Filesize
298KB

MD5
e9a1c5ee865b9b2f86f1eed0df6548ca

SHA1
252c3ad9b321a455bee82ff987444b3ff447f14d

SHA256
52f39bf8a89020031aadcac32c632c85a4ea9f9daccc45688ee7876cf7421578

SHA512
7c030544560c0b1158f8fbbd108cfd4e9d8399dfca984b60484b5edf4c04fdb0f9252ff534af7e75e960d0093a2de8752919c7fb94d6787ebca96d397e8f7e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIEA.exe

Filesize
198KB

MD5
fe70ffd075098c050955f28815af1cbb

SHA1
3b95780f61d20581ebb0738890cb30813ea2301a

SHA256
3ca7db88a0645293b7ad861fa7844375ff06e0bcfa5f1be764c43ad872270ca1

SHA512
0aea9b96b65575bfc35df8442f27807e4bb5c5c2fbd3fb52788ab76acae8311f2aacad182bbd1d9f24bc7091dcdb2d019e656aab28a024289a1a8e2589f40435

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIcA.exe

Filesize
187KB

MD5
d3d5c3f438ece20247369416b4bafce3

SHA1
19c6fc1a10067d1b427b8c96fe19b4c9686388f4

SHA256
3578ff9552dca8799efa49de5f65fe2fed9b727b6feb5484630712d7e2dd5cdb

SHA512
ed22db5bd0625b587ab6e6cdbfb4c6cf0c0a224a15889680647fd2e2f4e8656fc584186803d22166a1897db6895549e6d017b9b77798c3e254ee1ef9103752c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMou.exe

Filesize
223KB

MD5
69f362af9c26ab94ab0e39c53f15ea3a

SHA1
74913c8e8f2e2bd6e3dc2ff6199773bd3069756a

SHA256
8f3ef8f6ea6bf112812160bd1273dc37b57ec32783185e83a0af257c3a046746

SHA512
f87fd791e9eec1cfcc7154781862499d3407b65ab6981173a9064eef38ead9ceabca728900cbc0651d860324f71d909dc904850a4190d3e901301542f0bd53a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUww.exe

Filesize
205KB

MD5
03419d274afc39debc95324c0f03e142

SHA1
4ffd13bb9de0ee1207897a3c896500a203c86828

SHA256
e1b99966b4af8ac441ec74abcf1b81b1ae12204516e2c6b605a0df8a76859989

SHA512
168bef2f5e3d3bdff1b0ac664a9d77f959da54d118ee0062e54e135e0cb1ec6630b35d2e96034e0c2848b0cc34fae762658b3e25a128be8ed271c2e0c04bf28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYoE.exe

Filesize
190KB

MD5
747e3083e5d749d92c213dfc7d22f62e

SHA1
f881e8aff08b5663f431f16ab0e88fbf36470142

SHA256
195e801d836f5964b0f73a6e57fa58cdd9bebf306fba13aa8ae37e7af6b6ea3b

SHA512
def383dcd522a34eeb59a0bfc7b6d60464333dadf2335a5bbf2b8e8c30d7388cc0464ecf540c46f2849f7006177b0d1c130c62e860b0f67cef34aa8721a780e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsEK.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsYe.exe

Filesize
202KB

MD5
c8f790d63e9d71f1ab2b5d5ae4e9eae8

SHA1
c4be7aa5adadd99d078900181cb16b62482968c9

SHA256
6215fd03f4b37d889cb5414ede4b4775da01f6a438437572ab72677f32e80252

SHA512
9253819673e8a33e32a8d41810f3c95a616cc04790c8262f2c573a6dd00b8df153eda79e54a62f65543782144f45342b7fea2ae9b303dd7ffee421e339ecc66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAkg.exe

Filesize
280KB

MD5
a6e9cd278170ccb16c58f4e8adc97221

SHA1
816de68fe8c318926b2decb0888cfb004881ffb2

SHA256
8c2f02e0bc05236ce7df75bf36a39f24beb93edcc9f78556f4d68df5a7648b58

SHA512
6c828bc1c29ddf44d25d3fb29ed8b0b9f6839b301867e57cebc0d2d8e544759eb0911fa8d3f2b7931242e0ef15882bf3cbf1244d06c6b60fe389b170efdecbf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIoy.exe

Filesize
214KB

MD5
0557f9f798bf84ef02639138c90786e7

SHA1
02976029a0b33fb0a316fdb66565df1e38f37c9b

SHA256
6539eaa726d374958eacaddfabf88bb1384b5468a93a30785ae5e2ac05be905f

SHA512
6f2608bd987fe4a4266e34ee4b30d4cafbb736b56cf357078e74d8ebfe4cc7293709a7913a7188659bae9fd169fefe8c21b4d2769bcffc2391a2ccf825b807d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcoQ.exe

Filesize
213KB

MD5
4dbb19138bdd724d90122f08480b502c

SHA1
3a0e6195297a9b8887aafcae6fc53be56f7815e6

SHA256
691042b121c95105de435088270d4485fe09797f0c5ce358cfb86c2a56145085

SHA512
829e229a9271d092f2c80f44f0fbec751a6be44269b79d42b39144a5385ef42bba5886370dc348ad981ec7388d73682e15db315f990406ef01d8a7f1df917ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kkko.exe

Filesize
194KB

MD5
8fa84b19469df19e35dfc60ac17b5073

SHA1
4aeac5868f25acf50cf4c0ddce4f16c1c4934463

SHA256
ed6489fc8102d15c214b916daa71d36aec141215dcac21bfbc71ed7fa75fdf9b

SHA512
a32bab44591c2fdd4dd4aebffb0ab4ff827ef111e943587deca342778bad0bd420eff71fa3ad4cb43278a2e4a3d1e5bf8fc83b6e13b4d57ca27f766aef32e43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsIW.exe

Filesize
283KB

MD5
f53b3b65c3c27ecc4554f0090a70202a

SHA1
e2a4e181079db3c8aa021a7451dd6b64ae3b0595

SHA256
5c6c9db1ddfc1d956a52d297fc670e855a5774a717ff978a76eee4a0dec31976

SHA512
985ee4108c46c2c699ce48047bfed14cbd10aa288f8be75a5cd8e14edde358b7d6f7879725f514e955672698fa4a29fb43823d2eb44d41861794042b292d4c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsUu.exe

Filesize
193KB

MD5
c4f12e54357562c47d8a092aa2900b4a

SHA1
26dbae13bd3a99ef516aad4051848fb9c8be6d31

SHA256
2bc61bae08874ef1ee42c9300e00795b7815e8eca2244112f9f7ecd6c0f69cea

SHA512
b564319071f866a5457c41a726f7922bf3696ce5a876ecb3d1812be69c6cae4104402da2559d6e81bae5bf7110be478fea393fb9bebf9724398dcf15409dea4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIEE.exe

Filesize
879KB

MD5
6299cb81e515d07a7e00c6594da03488

SHA1
5ffdcf0f4a37879d873b6fcdb612277b37edf6fe

SHA256
bb403e073519a8cc7adba4af36b4c2ab40f074b237ae1651f75f6445da663abf

SHA512
62a3328146070d565410907382ad889e0fd41c461ab0cccd6182486b481088dd4330b3a1a32680f12ce39a58cd1d1a0ae25245db731c269c1594b7a3116cc83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\McwY.exe

Filesize
196KB

MD5
989a2be8c83b2701da25ac6bcf0cdd34

SHA1
2cabc1a545bc11534ce00d3c51a9528a91e33e78

SHA256
26f073d20937c5af824856ae41146d0211ad73bf9647e662c70c0bb2a1c699ae

SHA512
5d473eed3eb35e0ef53b786fed5b42c5774a59d2005207e3edfc79efa81036ddb209d2ba704df39a4189266219002ffd4c5761a8fc2b9fc26676ff98f9d03467

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mcwm.exe

Filesize
197KB

MD5
7afb7fa3bcce08c4229db284ce8538a1

SHA1
6e113047e25e0dace51545258ac1aee38b090099

SHA256
22966781df36d221e30d996b3aa9d4839e8bc550eeb8016b301b3d8b94b76585

SHA512
440d6500ac23ce706cfbecc4faff02d6409f6e53bcaf0b9e800dd7e9cb8d64b4789288b031936ad39ec99fb9bdb622237f3e927e9a56cb939622a4fd004dbc25

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwwW.exe

Filesize
195KB

MD5
f5f1191004146e14a93a965b6c5bd57d

SHA1
8a72f646cf15fcbf1770a7227325d8435b360744

SHA256
a790243973f98a910aefddb0db6616b71845a25a704d0a657ff38c6f0ceced2c

SHA512
c06f2d600b42159d511933428df0b4a7bcbebc7d50a8b6d7161fb041154cc9b62685968de42458f1c32d513975dd845bcad95ae5d7e4305e306a21bb674d553e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQgM.exe

Filesize
204KB

MD5
d3d470afb3f2781b28ca2f74dadd07cd

SHA1
08461a5f03b057538f1fc6a8aaa975cf5df529d2

SHA256
99e6a287cca26a851ecdd9fa93c305f11e854988faa68533f8fda70ea28218c4

SHA512
ff7ef464e658791747b231cc1ecb8fe4a8c8310879adf25b9941d9778d26e6db613c0f4e8292813134b9d5efa275195c9850c478d9d711f565c4f532e1b7d282

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYoi.exe

Filesize
1.1MB

MD5
ca99297e45b4579039e3a37b5c3573c6

SHA1
76ed41d5e2059a153fb1942ba856597802c34230

SHA256
e2ac63160897655620de0c3265c4c4aed5f63669f007563cf23341cd969236e0

SHA512
853c06163642c706578a3de05ad70393a5e805a55f1488289d4823336441c95d423ff954ecf54e9550d81669927700a3478a42680ad4c6d973c9c550428e07ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgMc.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoQq.exe

Filesize
201KB

MD5
d7d7e56f41c5e926f008f70573477cad

SHA1
b09690e4845f1fbe7837ef9903a41eb8d8e2b88d

SHA256
25c3ee55e15bbae45baacc2a8ef76f85c7aadfd4b6b5e7d7ffedbec6d6c87a4b

SHA512
4138291fa610682156fee643fac60bfaacb8b6dce5dbb94d9fd754c51e4f71472faf88041b7ea0972841b8a5b48959369cb2c230ac3d293eb4dedecce870ce21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Owky.exe

Filesize
238KB

MD5
fbee84cff4685c4b1f06d2e4ca9c0c82

SHA1
8821c4303fc76670a589bcd445930614ccc5df81

SHA256
7fe594b9cb9616f033e639c8c51d03dfea530e1d6a34f2e4826542817b2e0a11

SHA512
f60ef89d7e886a6535241215ff548bc7ab1a17cd47e6bd6cfe79149236378fa691db231872973cc53184cb8f512b0556107ad1e53404a5a002cafa09ef44e002

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcMi.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEUK.exe

Filesize
185KB

MD5
6393141599818ff62c7c3d69bd970926

SHA1
0c41e212dd4772385eac82befb62ffa85ff7957c

SHA256
3fd6d57190cf47d168e5e855f8cf4eabe0e504273b9c3144f615dc95a6defc65

SHA512
326fae4bb5602719a7bbe95ddb5e180b7e102e60881ea78b71d9b76299f270f2f20b8af97b19094d520de1699c56b4b35bed89dcab70be17fd72c3e8503a1318

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUcS.exe

Filesize
204KB

MD5
5e93cb8c4015f0b53f029c816fa36b97

SHA1
87c177ded682142d09f409f58c446eaad842fd18

SHA256
4b79eeadae3df07bc021cf5a5c9186e929cfa13e39b0a59254bfddd04b301d65

SHA512
424b0f43ee598852f7815c914763f643877c9983db8a21a27a571cfeadadb0a062e81487d1bbf328b44e45df6dc60071b5740315c5fd9c929aec45c6277f8942

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYge.exe

Filesize
208KB

MD5
87647cf7631df8ae1cbd3ad552c529f0

SHA1
6e86cea3ded16a805af758612a9f9891453bd60d

SHA256
4f4670b46861e956acb71595bdeddb06de7c681d340074137834f24005ca543b

SHA512
f32b072428a4e686017b5b234a22455b8d0f4b223a317f24a1202ee0b487cc39d0629b1b0ba3fb448548260fd9c03d6d32b7c535b72008eae3c9280f80443b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwcW.exe

Filesize
328KB

MD5
25ed330ee216517cbb685d6d2ee25849

SHA1
5889ccaace58feb7c4fbf879e924855d925aa47b

SHA256
10053789fcd6bee470b69ac3fc996fe2454f9f6d76f2f4253108fcfe3636bebd

SHA512
d745cbbf3d1cfb51eb427bceca59e1ff398e4ecdc30fc840cc47bb67c3f7806f42803ead30bf45bd1b713c69ca00ac33b229c13cf39ef64bd4da76588f14d1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIIE.exe

Filesize
804KB

MD5
aa9b5c4cd10bac6cfa9ea7bcc43b16f7

SHA1
1d7599d010c3cd015b5313fa8d3478a1abf43447

SHA256
0291b386091818e6b075db72f93fc3b90d55007ec08fa7b76b2983514bb8e953

SHA512
a5f788c99ab5a065efa24fc930d8654e862e3636e64f6dcbec8e20dd7a11008ef89659b23082b3bf9267263fbbe857e977abb84639aba81a58b87598818c2086

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMwM.exe

Filesize
200KB

MD5
7ed912b99d4834178222d1185cd651ff

SHA1
64248a37cab640c7f1d38a70ee6a0ef3965e093f

SHA256
0bd7803cd03e54f6d13274cfef915d051a17c31c404bc272ab4dbd91d42405d9

SHA512
132ad143bd87ad1c30ccca2cbab96e6405809dc8904357064d9ced1bf5858683fad4e191db86e1fedb1f9b3607c3de2d3bb98067861d0893722f48b1e83c2ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQAW.exe

Filesize
208KB

MD5
2fc4f2e5693d07cbb5c53f6de7b1fbac

SHA1
32ea34082abe5dcbd9e6d77fdcc91d15f9484690

SHA256
27113d02cafb1bdecf02e4bd7ff16bfb3cfe95820bbff4cf2b62aaff08c6c8f6

SHA512
377b1d30b34e204b5ef23f63d85b2d440eb5b875d35f63fab9c5472898f76a749ce12391b56f3b30edc0bdec09db2bf1cd708a9810273138aeec3e49a884c235

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsQy.exe

Filesize
199KB

MD5
a9847334bc2cd36e8ddac2bf84e4057e

SHA1
fdd97eed05f261a0ec5610eecb39e80b50839c5d

SHA256
73179e56339319647d899175821649eff2a2fef11616bb2a594bf4d59947d833

SHA512
b3f53fe55275ad32b79b4ac4e51050e9b02c7af174411149096d3fef50ac119c1b6a3cf5dfe4cd901a108bb3c537adce74fc5dd78bd37d3d3c60ea80f33f5fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Usgq.exe

Filesize
198KB

MD5
1c2db6c9003b2258ed0d6e34f72134bc

SHA1
becca8ce26511497f7d76cffdc1b946065c2d021

SHA256
6a918f96ba374ba3ed798dc6ff57d8c8f768936d5472aead6b912bf8239d5f49

SHA512
e01ed1168bfe8f3f528aff09821f046bbc590521dd0c5b8d84b3ced33ae07aea0edda96c4436585ead90c030c09f46b7835155f922e27dc02dd2f84365b01080

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAIg.exe

Filesize
813KB

MD5
20543a54cafa199a9830246dcfecc11a

SHA1
1529bda25b635cc6b96574239382b986b17a03db

SHA256
c69dc98ebfcf02b34f0b78474eba5fbe68a3d8e21e8b6f973b77a825ac91194b

SHA512
d09bb9e48fec255dbfc9ac11c2329bf3c76fc7e0f743b630029a36e8f43c61eb4acdd66bd40320e8141e4b98e7ae083db8b381a7c55e6faeee985706c321db27

Download Submit
C:\Users\Admin\AppData\Local\Temp\WSEAowoI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkYG.exe

Filesize
427KB

MD5
dfd431a14e7ee040abb79edf9b6b7cf7

SHA1
61c9a54f27dadd964b3a01d561cf76fbe1a4fe8e

SHA256
0797c113ab8d67cf337bfe36cc3dbb63635c25c22b904d270a2404717344d126

SHA512
7304c312f41fe920bc8d18d5200d50005afe7e1de523778e377fbac30832cc29bd88c191bcdb4f6c3e84b201b8a735e89c17cd1a99f8bdd376876b35c0bba355

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wssw.exe

Filesize
209KB

MD5
eeceaa74f4b6c0602a1aa139e3807022

SHA1
c8a9451c0c09750e1bd8ccb9b577be89244652a3

SHA256
a519076501a699a634861b61bb802c95a1e4b7c79408739fc13cc1847ea8a77a

SHA512
734e7288d4f152c93b63b160b542c64f88442ae54922956021cb0ab91245ac15068389d9a575788b31b95f8a17ba5e7bc990abd77d679b8a69807905b31de23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwkS.exe

Filesize
210KB

MD5
26beee1c50fcaf8145a001b153dca8d9

SHA1
bcb55f392e8989f7c04e0feec946925dab466a0b

SHA256
665fd5e286d315c37d6cec2c6911eef7ad2e5c625aa5354112c81e1f9be3db0d

SHA512
68cb0c6a5a65109c64dc360433be5df356a2b1a6288f935b707131ef10c924d35ac5cbf29b9245550361ac0a26a382d4179289e76ed1c52b50ce6ef2d6fe7924

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAAS.exe

Filesize
190KB

MD5
1024be2e5064adeb0f1ce90341ecef6f

SHA1
013623594dd5f85b28ec28fe4c98e6f5d71af291

SHA256
92f3399aab616c31fa650be6aa752011e0ec9fc3dada31c341f2324fb5c3c276

SHA512
c3a668a100bd3da469cca7d7fb0eca711ace79588cab1b8d43df9cc7b47dc916787134bae6ca030845afa5927d3ddd6236d5b9d50679dcfcd895cb76bbb5d844

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIMk.exe

Filesize
186KB

MD5
ea84cd131bfff1be78c814c8e08c957d

SHA1
975ea5b3ccbe5272da50386be15b33f5a82e8bb6

SHA256
7ae8f0cc500ea433b47b261248702de07a7296eaa8091625ef6882f6be4521b5

SHA512
2748518dd4e70bf615bc746b57c1ae17f75ec48d377423681143e7e516c1dc4992bb6114ff09143d409978220f398be5db42ee8c694188b74ed013889e612c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYoy.exe

Filesize
990KB

MD5
9caeea8635c6133b9c2ffbfd4d02f9e2

SHA1
db85496c955fe49f0858c8aedd28d98f74fbc96f

SHA256
6029cea96ed7d5577c85de007bad8c73f0dc7bbd68927eabc00b417a4e000fd1

SHA512
d7c46a1724c7946d339b44ce60e94579ce58f7b9274f7ed1a3405b7effa510ec058de8f5f1848fe33e53e4433cd3af71803732f7980d57c08aa2a5b134453041

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwYg.exe

Filesize
193KB

MD5
64505c5e5d92e22cea69441d90f9f895

SHA1
2b728e13eaa48962664515cfa422f9aa40d95cf3

SHA256
ed7feed7b9f821a097323286446e72cc668fd5f4e37bc2899f76ea394ddda1d6

SHA512
c45f1ea21ecea8c5af280538a375dcec6e327fcbc9f1c58399e360bbe8a28e8e28e2e7445c831b67ad51d905d11800390f4225e1e1f2d631cb581b4cc435fe8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAUy.exe

Filesize
210KB

MD5
9220426594c957f19266d5425a13053c

SHA1
86257b363bf51c6bcfd3b7a3c8fa0d6215edf976

SHA256
8edcc41b4c33f988eb4826c4bc0e2c1fa8a5fd2ab3e91474a4892278729f9568

SHA512
b1e67880a0721f0e7a57423894459db8a3151db22eef3565d95de157d10365e59a2d636f3af37723a97f437350a4ec483aa679031f3263fd97cc69955ca8f2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEsY.exe

Filesize
203KB

MD5
3c6a98e2b5e19765039be43a4533d9d4

SHA1
62b28147911a3c6fda5cf22db098d41c8cbb6508

SHA256
b024be25b57eaed03443349d49789394c5b47e91bfef8ff8fbfd46fb7c75736e

SHA512
2406f0692caa9bbc876f865924b45cd305b954b2410f183b37be5e54fc98265b26344f4ab858bd017f8083ff916cf27627ff5a4d6f92205dd332bb6d1dcd8e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIAi.exe

Filesize
205KB

MD5
bfe0c66ade0c7904dd2cdde21bdbc3e7

SHA1
843c41ded34db7c7314148b3e8aaac180c81d8b6

SHA256
8fd08a59741371db9219a6c48f0505126bc44ce1077abae1d9d6fbde3c15c64a

SHA512
398ebda22103311154cc616a6e3782c5232af83b001531b9235eac2b3114dfdff8e5a5cd81d0b092b4e5ac73869c76fd54c27ab73ea2a4e43e925b07af57c4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIQK.exe

Filesize
837KB

MD5
c9677ae8beca360499ade1350c694842

SHA1
d9c4c28fc57ee8b3b383c669ddddc83b89e69add

SHA256
b44bd109e2e1458b1f7827f3871c449b0a721d107a3804ff74331ca811451952

SHA512
48dbabece1c0ab1c173e47b4bf2b9ab32260960fd8aa11250da143e3c40e4f95c283f126931d6b8a06f354006e5fee3094d9db32c6f579d4a1bb8d00c4f25dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIoS.exe

Filesize
196KB

MD5
c16f5b2648bd989f442a2d9b12878b69

SHA1
940b4ec59de84cc83a5ed7c99d8dffc51154aec7

SHA256
528be9c9d3575adb212d3d440a99bd4f35b148c582f12a451259e946ea8f055a

SHA512
9bd15acecd71e241261e05c7be5e1eddab6b80e2ec882f23de9773143dd6e59d3396974815b947791f62c7b6a4649687776437e2f95c0253349e14c504b5426a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQUQ.exe

Filesize
187KB

MD5
039536bc3025be51d916cc899e845732

SHA1
667df57ab840f462c0d0208807805119dd66fec3

SHA256
8a003e58bc56bc0a4f7272f42c3130d4263800d6821babd7a0079e3369776747

SHA512
f64a03b706faad11c27b7e4b4715f68a9e002c788e3fd5c5a1901a6668364487dd6d3da615710b1024283727ff211b7c83e03755bcb075dadcd162986ce82abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\akAE.exe

Filesize
641KB

MD5
dd54b7a61f8b973ffc072213d50fb0d6

SHA1
6603d5ddce69ce657e20306a8b7c4386694b0979

SHA256
a91ca8492782e8cbb2d7a321065fbd2a6dbd2be946c2364963217386dc26202c

SHA512
80d941a29d6591189bb496ae307a45b7109ed559a5da37acd49b5cd7b796842885e0ca5caf480506fac3127e53e7361ca63521e2cbd0e3a638fd48f2cafc927f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUAU.exe

Filesize
196KB

MD5
30a5db9927cf870eb23b006bab5b8adc

SHA1
862f5a9f12093e04f0e7e76d6c2e73dd5a2733a2

SHA256
f02d2d49d67e2b34fa99a698c8ae3836be4dc14f6c97e81914769f76ef948752

SHA512
3217ab4a3a1b8e138885e8b7d40ce5d7acf481c273197f5e060a192a303a6bc1dda412d2c23fe2545327f90dc4fdc31e7996540cf913dca725f7d63c57a4efdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUAw.exe

Filesize
215KB

MD5
b31414c2322e312c7cfdd1990b858398

SHA1
d35552dd65504f9e38a9c382ea49443e7d169f18

SHA256
0c35278d3d7a0ae75fce0b743e480d7c2f5ef94f0061c77548ebb5f340477cf1

SHA512
4d3359ea34b26d4e0c875cf2929fa45979f30046cb929958becc458bbcb8319888aca2a1059d06c2f1ba61030cec3788a89a2a72fb2e565391622c6bc6f3e234

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUYE.exe

Filesize
330KB

MD5
368074a55968ee29f49ae772142bc275

SHA1
577edcc63da1fb8e3de0fe84d9cd84ff84c6a527

SHA256
59eea3be65eafc2c13cce9e5ea63064acd6f26e59db18e3749bc1674c9c189b1

SHA512
5fd4528d50c52c57b9d48f9756f38b510cbaa62fc4c38b80d0fb19f89ac6cfff399f2af3d3616c23d0efa93820ca9637dc764697659a8739bd37ee666cf7444f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYIW.exe

Filesize
688KB

MD5
a07571790e9134debe8f2b79c88a730a

SHA1
0330e5b2e7f0cba9aeb55b832d7bdae07f73c774

SHA256
451c7016f03ce6980f9d59d2bc726b719935f4e5b6c7d5613cd936ade7ae9dc0

SHA512
1751c8b8f4ae01e10dcb9cb3a4f9ac79fc6aed0eeda74edf36207a533d82149de11bfe0a8cea4b307d8371141930eff0abca1f99c315cefc562f11e48027fdb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckMG.exe

Filesize
1.1MB

MD5
a75a0d8705c0c26918c5cc76b113f1b4

SHA1
e778811b21022f5d5fa6e65da13315990c829473

SHA256
606d290b93038bc56f81bcc81e0c14c7af8ce28531e0a422b9c761e3ecad06e8

SHA512
72f6513d469e5ce410cf846fe31853adba371b5eec20cb450cc6f712ec63078ac979652dc27706e1bef9c597ea134256c3b3f16855fc775076c8e03d09d0ba77

Download Submit
C:\Users\Admin\AppData\Local\Temp\coUW.exe

Filesize
197KB

MD5
482f3c3239bec6d5ef15e969d1665ec4

SHA1
05426a4c75eea621f8a5b55e1b54fb88241db121

SHA256
5a28c7f5081b1de318f9970765cfcb210e0a7d491590525a0854de600e5c958d

SHA512
0bf8ee973f063be17588a5e7b3e3e2ce7bd45057681ca0273c23d1ea22094873d154662986284b7c02f74a35b409268808a1e9e5779e68cdca49a13182a2a87f

Download Submit
C:\Users\Admin\AppData\Local\Temp\csMU.exe

Filesize
5.9MB

MD5
0cc12addebaec483cf38d2f0e05ca47b

SHA1
f764c32ad68a5147065b63e25a2134e726bfd3d6

SHA256
0b1e48b5f0e3fdea96a09da08dc85fa8a38a12c905740acfb931a5c7956107d2

SHA512
bab361a95f0685ed18d40e7d24f7081b4149c1b011abd5c6dfa6ab0c1dc349467fd42f89fc5ea25818adeecc2aea1e79b13b0ed3e84d8a6aa76a18574725e3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQIQ.exe

Filesize
1.2MB

MD5
61c87aba0c3dbb2f1bf286641501d587

SHA1
b39b6f982317533ac677d70d7560a7d9e6395de3

SHA256
33811afee6cc451f3ad3c97d91a88cf548736a8356515c9338570358c24c1249

SHA512
a9f7ebffb5225a7c59de274c6c520c0667b722a746f3bb5c61ef7ed8f28da47c5984696e1bec69a923d94e158acf829c6f10766ef866fcf27e4183cb6768347a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQgM.exe

Filesize
197KB

MD5
7ed9928b7d81bb63275b1ea5a01a282f

SHA1
f0101159c4b4d6692097f2694cc9b80d1cde6a2c

SHA256
c6b2d081f54af1cb124777ec49c91ff4f29bcbd4a7502c8265289768086e4ac0

SHA512
8beb5e9b41ce760511004ffec16ce3fccab3d1e0305679bb771f8554dd0e6da46d028b760b4f0e9adb917e5fa486bd913271795024b78bde09d6a26cabfdb1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\eggS.exe

Filesize
5.9MB

MD5
723bffb226102905a526737cb96bfdf4

SHA1
e3ed9adb1abdd6f05867fa296e6245aefab62a78

SHA256
15c0bc4bccc36f90f570c2c19afe11c1f6c2e09b9521de1d2986867265870748

SHA512
32bd13a8577ef2694fabfbdacb28c15a5ae413a7755661fad2a29b861065745eb7162a999824d04e3fc309bceea591f4dd15ddd27236575b4f097e1df545b412

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\goYW.exe

Filesize
782KB

MD5
bd5f4f6fc5bcd3a8f621238b206b85ad

SHA1
bf9cad663e1721fd3f1661243082d3f2f7471e43

SHA256
a9d05a7c8af3c71ee73cf9eb53776d5df30d0af5948b1e514fa41e6b67e90a5f

SHA512
d6916edb0e1f07910c214fa1d423bc9dafe9063274d72be75f913d03a53cfff6e7b33d2bc822e74b4b426d7cbc0d8d641db0ee2a23c3d187fc799976363e1bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMMo.exe

Filesize
196KB

MD5
eefb930b9781a7aac2587b2fbd3e4f2a

SHA1
3da3a6197360de3c7bdc6dd3b2e6081af61d7dec

SHA256
6b2d963a9d99ff1bfa3a4478f5623c8c598385f61f5bea88157e064c30309486

SHA512
4571f171779476f6140520855b162b26f572ab158574167cd45a1c9a18763971fed408ef580d8ddae651e753ac8331a28c7f490b1663bcc2534f988dcf08313a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQwW.exe

Filesize
189KB

MD5
c547b707f21a52824fa14f007ccaac2a

SHA1
49d8e3436e806200d951de6aba84636794d0fcbb

SHA256
3e8c09be5a20da874ba57c947a4842872381324e193e44086fa7c17131730164

SHA512
8d5fda4d970043ff10940ffe793d8966a7e7ef4e98929b3abaeb9d2dcdd8a3620a6dc4b85c04dac1d1b7009f025649a05111fe18271fca90f32ed81355cd4b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\icgA.exe

Filesize
198KB

MD5
49217f3b6beb1d736b900292aeca54af

SHA1
0a4d3d5a7e84f766f39778887e405826cb013660

SHA256
8dc63e4bcdac3c88d7c7a76c806843ab7cd79fdb4354cc625592b475230f483e

SHA512
f55edf0082301caa1fc6d43a46c881ca07bac7265c749e427a699f3acd88f28bdc20361b17d47989be93ddca244487827b60fdc5d36fdb427fb21b5240ac3201

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikQe.exe

Filesize
1.7MB

MD5
c5f9eee8bd6eb61f70c2b2eb6a1f474f

SHA1
2267296856a084ead09b6d6d7a979478687b6663

SHA256
ec1f3c096f53d827c5521302d3b0d83f649f814bb8357b502c892be22855abf1

SHA512
3e396179fafa3a7bac801a113eed5fc65cc6a7fe462bfc24910c864141332f8390b2a9f4ef20ee7a96d4d6a4d98944c035ff4c6dc9a5d47ab93f5a758b1085c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikke.exe

Filesize
635KB

MD5
71a4783fb5d98528da76dfd5b6e713a3

SHA1
0e3252fd5c885c76e779bc6971fcea2916054812

SHA256
1ec2b7177e8b41a8a78f6b8aa9dc1a593d1ea0b60c3a9fc05b48c2c065b98222

SHA512
22841e1197a49b62082cbdbded67df858dd0f813299eebbf7019d95e0c62e4aed4a261606fa5fc80e58a9ac58e7bcd1531ba66c6fbb0850919de8a70e30d0849

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQcK.exe

Filesize
633KB

MD5
67f30bb361280054f28317ff4c566282

SHA1
1f3d322fd29b97c3d3ec34df3b8d7073d44d5aee

SHA256
58b25e59fbbb41e012cf83d9c0489d4bcc1caee17c1cd3c98cd4b9ae2d5bbf7c

SHA512
6d83b7728e316e02df84ea23335a37a7440ca0d2f7697abac16f721e8a0e22e8ceb7d52787879af2eaaa521d7c6aa51ff0be7cc8578c24c50393bd0bc7fc5dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgQS.exe

Filesize
646KB

MD5
411a40f0e5b182477f5f3c799191583a

SHA1
ee4d2605d78852a0c460530f4ad4cad1e4f33223

SHA256
322fc977a4b7007c689fd53676dace28d68d697d5193eb1eedecf150e9c6c6ee

SHA512
29bf0f8c15a67e164739bed343ad14217ba6f56164ff262e0feda409cf7d794c573ac09f497f274da60bf29b8ff7137ad755bff7e79a70b11f8cbfc420a9b645

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkMo.exe

Filesize
194KB

MD5
097c4eec2f7f1c61cf89f3190aa8a4a8

SHA1
f585ee9ab5edae2563455e127903ef06d505cffc

SHA256
dc431c98dad2e8558f26d0715ed1d749ee3d58a3ca6c571da218c366ec8c813c

SHA512
92b36e557213dd6fcbb1c4e89f51f22dbeca91f251347b13e3c0643f0fb11d6f49c375ae9f9c53593bc708e177e2d595722aee2a60f868df10fb99846c7957bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkYG.exe

Filesize
191KB

MD5
86511dd64ab59526f2bbadfed0b54d9e

SHA1
d924eb577721f21960d7f48105592481d0fe3458

SHA256
535c14e9b0c5c9a2da126a55106a8b702b03e4cc720c945f148e983bbceb615b

SHA512
5f55280ff72b14fb565f3c232e9bdaea369bd34a71336d5ecc6653c7191ca76c344b6fa6e21b6025b1d3ed5182d1f412e8f96aeda26d00c888070ddc07cf7281

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksAc.exe

Filesize
197KB

MD5
33178f78ffd6d4d2f14f325b758aa22b

SHA1
84081ba1e904d51f8080f3187001396abadd24ee

SHA256
f668ebd66d337754950e229878352fdf9b574124bf4a6ee83c4993c601be451e

SHA512
36f9838a3a3439dbe9b8e844ae24f983d083bb1ac012bbe4c707bb6347d4f6204c29a8273417e0c7745c425e43db3ac6954e2c158e7bd8a1b3ce5e562e1aa394

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMci.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYAI.exe

Filesize
208KB

MD5
746056ef02db9f9863808b3d622f2b54

SHA1
a28b42eba60c5eea9736049cb195dbc464a77608

SHA256
081a133723ba4c178faf3ce405c3fc81f1a94a082c128613c5fb35964098b953

SHA512
be995ac1e5cbeb9bbd386778212ca56bae8d8a893ba0ccc3d185f5bd102a5ef622691bba62491c591125bd3a08d70c1b20c372495b9aaa499b33a0d98e375559

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEku.exe

Filesize
207KB

MD5
12c3acdcaff98b7caeeee6549fdbf714

SHA1
d7abc0e3373f06d5d0e40f96ac501519e1ad4492

SHA256
a5282333d83cbddc52a592fbe7ef5d3ea6537c89852ec727cb390edef364f364

SHA512
5260d5cbb23fd1a8cd3fac35ba7f08a0baabee28686cb4ebd1a37127e4748131f5fffb33e177c810587b7caf6ea5bfc2e7c35a541f1f4886db171a7ed4d5fe3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIAy.exe

Filesize
195KB

MD5
71b86d2f0455dea835960f915325a359

SHA1
ec1ac6d41e5c25dee27f60c30da0b3b3d2ad16d0

SHA256
1f781ae336c83cab7ba28b41b462e4a3218b9f45001cb16abee4aa440081ef7e

SHA512
4cf9f3126af073fc3a8ab82be876657e13d09883176149f71a3186d4161bfa7280385be125a26693fdca850846ca39e8ca590161519845168181242ff6f74911

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYgw.exe

Filesize
207KB

MD5
83f3ed0f1021176bfb7727afa52a8ca5

SHA1
ab94dada86e80934b30f6125a44ca11a3fc3735e

SHA256
7bc296fa9b357341a72a93896b91c8c5d1e469d7c163ad04b9238c260f632878

SHA512
60f79e7f2b7434e3952199103484712ce74c428bb2765d0bf7be50008a3613bed3782d310e7c1cc011d90b02ee77f2cff2e184c5793c493fdeca690f6005ae24

Download Submit
C:\Users\Admin\AppData\Local\Temp\qggM.exe

Filesize
201KB

MD5
cd74e26978df9779e5b7a92b9f3aa527

SHA1
4757e82bc92728c9fb36b72f7df6d3771e8754a5

SHA256
9c5a4321d4f19170c931e245597ae39eacdf957f458fd021170a1b47b09a7597

SHA512
d08be7f236292392f734ad202ec0d46604909fb594e9c89b49a51d0e6d7b0ec465edcb75569b124f0364de700f012f7641ca5bc4748ce3fe54aeb9050342d5dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qscy.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEkm.exe

Filesize
207KB

MD5
054b4f321963ac493b32b73fd212bd08

SHA1
62b574d6e92e6f837ba8ee48bd56c8099f7e1a11

SHA256
306d22a08ed5a0365212bd76723ad0d5a104e1308266eab311d31a8a2c5064dc

SHA512
0eb2d63385a671335f9a38ebba6f72d242af9c996051bccea9737ccb95dbdfde5f21f7e7fe4c15b52164ef2631ece38073f35afa3092280c0cad9471b0a1014c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgQq.exe

Filesize
327KB

MD5
171bcaa4d2c7037d9056fefa26ddac43

SHA1
5bdeba06d35e3b6c77e94c827fd3987848eaf730

SHA256
5c169258770d65c7c2a9790995f7e4fd205c698a5803600b78660ed24b54e510

SHA512
4f54931b5f748775cfbfef57e16b7256ea2a4b93c03608b0c4b25705c4164039baeb110bd4f2f6c949fa369a4d181e05bc417e3118cd9bd3990f500f20adb7b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sssY.exe

Filesize
806KB

MD5
3981a28457f210dfb5b706aa7c5b8a1f

SHA1
961260d61e088fbbe648336b94e87803ca8a222f

SHA256
82dc8119ac9bd45bf587144a6043942213778453a2fd9ff90168bf0c2f8bf805

SHA512
0f3136bea95c2ebc117075834c00e5fdfe237a50fedaaf20997170a7b431e490e605fabd4f50c1de2d91d3af636cf07b46c74493419dc65874877bef42dce931

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAIY.exe

Filesize
182KB

MD5
77461ac6874450c6b41e2aa9c69f3746

SHA1
9d5f125ffaf2cb65b06073e53ad3829a82089eef

SHA256
0136dd60590a6dd3f3f5bf5222d12593d29190703b7d068dd3e4c0a83d03dae3

SHA512
69e4bc467c200887c7b64cac8d3230cdc1c26d01648f959b85cae4f44b20ceaf113186656d0605a0a1988f219a85c7ab93e734e2410250249371d3b354904e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQEy.exe

Filesize
5.9MB

MD5
c1b1ddfe92e0bb2d0fe5a20935731235

SHA1
39c54df9be7d7b5ef6bc0f6c2a0bec936e2501fc

SHA256
f27257b3a3dcbf9070dbd7e0b1a9e4f88a136fd49049edce964e84ee3c9a22e6

SHA512
0c7091702ec003d6d8a43cbf15d935be6696a3d34e13c24c7be39844db9a184ed8b8aa1e88354236031faa7b3a840ceec3359379e573a8cb9e22819dbfbf2bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYUM.exe

Filesize
625KB

MD5
c9e4c4e91bd5844acce48bd3d90a121f

SHA1
b17f2a2600e7a3b118e5ebaf2fc14718a80a9a2f

SHA256
02e63383061497ebb91d4bca0c081d78f83f97ac39a2b27dbbd8dc2e0271c9b9

SHA512
6ee1ead7106bd4c9ffbb269b7ff5cb2460dedfb4dd79815d9e9ef9997578e7516c872359d49ead6c5d3666d052fb08936ad40b5b0024b020ab95c55738c2584e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYgE.exe

Filesize
199KB

MD5
a12abf0898bc7090d13371309c6c9ade

SHA1
ac0deb0b21f0c45dd16506d3b37233c818d3e184

SHA256
c2ddb47f771d09bf8ac4fb324c87e6dc9b2578385c551bfd81181095f6e45f4a

SHA512
4db2a7b1e4a34455856a22b04b11f6edffa8aa547a3cc0e8c843a6ea6eb368f3db4416141ed9b57c2030296b480dc66ae894754432bd953269a929d90506a0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAIu.exe

Filesize
187KB

MD5
54b242a7e6d0faf15c6ad2d9659cc7e9

SHA1
af60cd557a33e47008fb5f24acfc47af6bf6d60e

SHA256
ed1b0988f7dba03eab6c2cdb7e848960b4567dbe8a44d96812417e13ce6cdad2

SHA512
eee9883ab23f75a0790c764d9cd675b1a732d6ec84e63fc10941a2753c4304d4497fbd441c2dafe310cf91606e54cf2574953d7cf20c84b3c528f7c3702faac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUMi.exe

Filesize
1.0MB

MD5
92f09a15fa0e069de418a03a140e6013

SHA1
c4c7fac9cd5d569443ea1e63d5b53ffc20bca41f

SHA256
8bf530089d67c7a8e6276e8b8f0a5962e0d816843299aa1daecf8ab4678a9d72

SHA512
90b316dabde1ef01a59bd58dec107c6066de0df3fb604047dd150ef77afc716b375dfbfb918c572cf24ac9b2155f85e6915eb6d381b23add05e64e78fd44ef0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUYU.exe

Filesize
1.1MB

MD5
c7669ebe33dc04264e2d083012e81456

SHA1
76526ce2a1e90b374a0524c0eca43ba386eb97a6

SHA256
8690d7d9f9c1180aafcbc91e9dc3796154bf1fb507263c5ac9bd6d264ece8b03

SHA512
cf75cc5db286f4ff8606801aa8963c771d50da9e6082ca1548de411852c3286a4b7816a423ce0355204d42ceecd1238ba26be43999372a49b6e350a4586dd421

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIwC.exe

Filesize
202KB

MD5
d92bcb73deae550f3207471891cca31b

SHA1
063f7c3f6fab2f7605a72c4a01fbb9295c119f5f

SHA256
2fd618bb01b1749a8e40a9c7dcdc5e543d653a89d38d945c5ee715fdd20409f3

SHA512
b39229525dc8c964e7e82b4c3e2c8463aac289469b4a9603fce1b3a22cd845fe243ec6a41b06059874506e7a872b67b52d874553c542832444814c6003615e32

Download Submit
C:\Users\Admin\Music\ApproveReceive.pdf.exe

Filesize
380KB

MD5
950caa9e71a4d07e140def9b932bfe6a

SHA1
78fbb0e66ed4c160545a27d58132d56a1c2a3e19

SHA256
d49d12015da8734013fe3baeeaed15a6d374a8771ed569235293e679ee7896a9

SHA512
2c4ef9cd4168cb47171c3c14c9883b3fdea335e14499c19fca0b662716fbe11bf13ad97e1910c707ef1bd2f4fa7cea626896fa571df2f26982aa02fc5362d51b

Download Submit
C:\Users\Admin\NsMkEoYM\GQsEUYcI.exe

Filesize
186KB

MD5
519408e7f7ea7a6b413a47a5784fb750

SHA1
38682a791833e8a11596c9f73363062c440f6197

SHA256
b45e1a16231249f659438450aa42c7c568b337c939623948678e92093d1cb62c

SHA512
338c880a0e9cba7ac829fb5ae864275f92bc5a5c15b29a94fb13703545590eaff5a15b0a635e7303816c798b43d12b0a72d2ffedbe9e75f49a77df07292aa1a0

Download Submit
memory/208-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/208-286-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/208-19-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/396-111-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/456-825-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/548-1056-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/628-612-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/872-482-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/944-147-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1020-194-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1116-519-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1116-527-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1220-242-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1268-418-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1272-544-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1272-776-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1424-674-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1516-448-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1516-456-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1520-630-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1616-136-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1616-474-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1616-126-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1636-375-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1756-447-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1756-439-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1896-508-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1896-666-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1896-658-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2020-356-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2064-100-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2136-348-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2232-160-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2280-65-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2348-638-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2368-391-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2388-305-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2388-295-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2428-410-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2428-402-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2452-578-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2452-701-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2452-694-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2488-268-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2552-124-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2580-588-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2632-492-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2768-294-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2840-181-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2864-726-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2884-322-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2924-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-622-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3060-528-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3060-536-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3068-684-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3228-562-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3228-330-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3240-314-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3240-307-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3472-278-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3500-383-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3504-205-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3564-650-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3564-657-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3660-216-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3764-500-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3812-7-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3972-1005-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3984-438-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3984-424-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4064-260-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4064-251-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4104-78-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4244-877-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4260-941-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-252-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4516-54-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4572-89-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4572-466-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4624-43-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4668-554-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4684-340-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4708-596-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4780-648-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4828-32-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4888-401-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4900-516-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4932-570-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4972-420-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4972-428-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4980-692-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5008-604-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5060-365-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5060-357-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5108-227-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download