3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
Size

211KB
MD5

dd82fd67de555c611e2513dcaa80a4b0
SHA1

91a2024a0c6b8d6ac2ca383458d19a556ccd2879
SHA256

3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541
SHA512

bd856cf8b4656c14d37cb901f3f78a862ff92ccf412c694850c2025b591616890114f5dd8036fb747c89b8fcd643eec9b6144e79e5e5c5a72cc210e588507af7
SSDEEP

6144:k9NbYFEgTM8zbtr141Tt725mkHDs6ues+bcQX:k7+nzbtJWT45mkHSmcQX

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found

Renames multiple (87) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	nEYEYAwQ.exe

Executes dropped EXE 2 IoCs

pid	Process
4772	nEYEYAwQ.exe
1328	DGcYEcgA.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEYEYAwQ.exe = "C:\\Users\\Admin\\bWYcMsAc\\nEYEYAwQ.exe"	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DGcYEcgA.exe = "C:\\ProgramData\\qmQYIEYw\\DGcYEcgA.exe"	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEYEYAwQ.exe = "C:\\Users\\Admin\\bWYcMsAc\\nEYEYAwQ.exe"	nEYEYAwQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DGcYEcgA.exe = "C:\\ProgramData\\qmQYIEYw\\DGcYEcgA.exe"	DGcYEcgA.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	nEYEYAwQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2332	reg.exe
1380	reg.exe
4092	reg.exe
3900	reg.exe
1956	reg.exe
2340	Process not Found
3940	reg.exe
1168	reg.exe
4960	reg.exe
2352	reg.exe
4824	reg.exe
2064	reg.exe
536	reg.exe
3516	Process not Found
4744	reg.exe
1216	Process not Found
3500	Process not Found
2800	reg.exe
4744	Process not Found
4956	Process not Found
4004	reg.exe
5036	reg.exe
232	reg.exe
3452	reg.exe
4580	reg.exe
2932	reg.exe
4736	reg.exe
4440	Process not Found
2192	reg.exe
2808	reg.exe
4028	reg.exe
1824	reg.exe
2800	reg.exe
528	reg.exe
2952	reg.exe
1756	reg.exe
4676	reg.exe
4392	reg.exe
516	reg.exe
320	Process not Found
1096	reg.exe
536	reg.exe
4860	reg.exe
4436	reg.exe
516	reg.exe
2448	reg.exe
1256	reg.exe
2984	Process not Found
2792	reg.exe
4556	reg.exe
2880	Process not Found
1252	reg.exe
1540	reg.exe
1140	reg.exe
2284	reg.exe
4356	reg.exe
3492	reg.exe
4512	reg.exe
4308	reg.exe
4568	reg.exe
1200	reg.exe
856	Process not Found
3536	reg.exe
1028	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
3424	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
3424	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
3424	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
3424	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4576	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4576	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4576	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4576	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4580	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4580	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4580	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4580	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4332	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4332	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4332	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4332	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
5092	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
5092	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
5092	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
5092	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4660	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4660	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4660	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4660	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
2996	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
2996	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
2996	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
2996	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
3308	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
3308	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
3308	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
3308	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
3672	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
3672	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
3672	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
3672	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4492	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4492	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4492	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4492	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
1204	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
1204	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
1204	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
1204	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
1748	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
1748	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
1748	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
1748	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4688	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4688	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4688	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4688	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
3796	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
3796	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
3796	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
3796	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4820	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4820	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4820	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
4820	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4772	nEYEYAwQ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe
4772	nEYEYAwQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 4772	4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	82
PID 4440 wrote to memory of 4772	4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	82
PID 4440 wrote to memory of 4772	4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	82
PID 4440 wrote to memory of 1328	4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	83
PID 4440 wrote to memory of 1328	4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	83
PID 4440 wrote to memory of 1328	4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	83
PID 4440 wrote to memory of 4876	4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	84
PID 4440 wrote to memory of 4876	4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	84
PID 4440 wrote to memory of 4876	4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	84
PID 4440 wrote to memory of 3536	4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	86
PID 4440 wrote to memory of 3536	4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	86
PID 4440 wrote to memory of 3536	4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	86
PID 4440 wrote to memory of 4568	4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	87
PID 4440 wrote to memory of 4568	4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	87
PID 4440 wrote to memory of 4568	4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	87
PID 4440 wrote to memory of 2680	4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	88
PID 4440 wrote to memory of 2680	4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	88
PID 4440 wrote to memory of 2680	4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	88
PID 4440 wrote to memory of 4992	4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	89
PID 4440 wrote to memory of 4992	4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	89
PID 4440 wrote to memory of 4992	4440	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	89
PID 4876 wrote to memory of 3424	4876	cmd.exe	94
PID 4876 wrote to memory of 3424	4876	cmd.exe	94
PID 4876 wrote to memory of 3424	4876	cmd.exe	94
PID 4992 wrote to memory of 2336	4992	cmd.exe	95
PID 4992 wrote to memory of 2336	4992	cmd.exe	95
PID 4992 wrote to memory of 2336	4992	cmd.exe	95
PID 3424 wrote to memory of 4240	3424	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	96
PID 3424 wrote to memory of 4240	3424	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	96
PID 3424 wrote to memory of 4240	3424	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	96
PID 4240 wrote to memory of 4576	4240	cmd.exe	98
PID 4240 wrote to memory of 4576	4240	cmd.exe	98
PID 4240 wrote to memory of 4576	4240	cmd.exe	98
PID 3424 wrote to memory of 3628	3424	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	99
PID 3424 wrote to memory of 3628	3424	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	99
PID 3424 wrote to memory of 3628	3424	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	99
PID 3424 wrote to memory of 4748	3424	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	100
PID 3424 wrote to memory of 4748	3424	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	100
PID 3424 wrote to memory of 4748	3424	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	100
PID 3424 wrote to memory of 5048	3424	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	101
PID 3424 wrote to memory of 5048	3424	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	101
PID 3424 wrote to memory of 5048	3424	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	101
PID 3424 wrote to memory of 2216	3424	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	102
PID 3424 wrote to memory of 2216	3424	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	102
PID 3424 wrote to memory of 2216	3424	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	102
PID 2216 wrote to memory of 224	2216	cmd.exe	107
PID 2216 wrote to memory of 224	2216	cmd.exe	107
PID 2216 wrote to memory of 224	2216	cmd.exe	107
PID 4576 wrote to memory of 2264	4576	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	108
PID 4576 wrote to memory of 2264	4576	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	108
PID 4576 wrote to memory of 2264	4576	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	108
PID 2264 wrote to memory of 4580	2264	cmd.exe	110
PID 2264 wrote to memory of 4580	2264	cmd.exe	110
PID 2264 wrote to memory of 4580	2264	cmd.exe	110
PID 4576 wrote to memory of 320	4576	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	111
PID 4576 wrote to memory of 320	4576	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	111
PID 4576 wrote to memory of 320	4576	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	111
PID 4576 wrote to memory of 4820	4576	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	112
PID 4576 wrote to memory of 4820	4576	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	112
PID 4576 wrote to memory of 4820	4576	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	112
PID 4576 wrote to memory of 4356	4576	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	113
PID 4576 wrote to memory of 4356	4576	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	113
PID 4576 wrote to memory of 4356	4576	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	113
PID 4576 wrote to memory of 4032	4576	3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe	114

C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
"C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Users\Admin\bWYcMsAc\nEYEYAwQ.exe
  "C:\Users\Admin\bWYcMsAc\nEYEYAwQ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4772
- C:\ProgramData\qmQYIEYw\DGcYEcgA.exe
  "C:\ProgramData\qmQYIEYw\DGcYEcgA.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
    C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4240
    - - C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4576
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        8⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        10⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        12⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        14⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        16⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        18⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        20⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        22⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        24⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        26⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        28⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        30⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        32⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        33⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        34⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        35⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        36⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        37⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        38⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        39⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        40⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        41⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        42⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        43⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        44⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        45⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        46⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        47⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        48⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        49⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        50⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        51⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        52⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        53⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        54⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        55⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        56⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        57⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        58⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        59⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        60⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        61⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        62⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        63⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        64⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        65⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        66⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        67⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        68⤵
        
        PID:2416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        69⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        70⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        71⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        72⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        73⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        74⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        75⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        76⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        77⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        78⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        79⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        80⤵
        
        PID:3576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        81⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        82⤵
        
        PID:4320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        83⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        84⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        85⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        86⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        87⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        88⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        89⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        91⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        92⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        94⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        95⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        96⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        97⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        98⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        99⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        100⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        101⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        102⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        103⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        104⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        105⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        106⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        107⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        108⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        109⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        110⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        111⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        112⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        113⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        115⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        116⤵
        
        PID:2956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        117⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        118⤵
        
        PID:4688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        119⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        120⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        121⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        122⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        123⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        124⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        126⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        127⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        128⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        129⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        130⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        131⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        132⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        133⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        134⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        135⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        136⤵
        
        PID:4028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        137⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        138⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        140⤵
        
        PID:4284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        141⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        142⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        143⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        144⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        145⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        146⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        147⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        148⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        149⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        150⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        151⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        152⤵
        
        PID:3556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        153⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        154⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        155⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        156⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        157⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        158⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        159⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        160⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        162⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        163⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        164⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        165⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        166⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        167⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        168⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        169⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        170⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        171⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        172⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        173⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        174⤵
        
        PID:4240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        175⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        176⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        177⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        178⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        179⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        180⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        181⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        182⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        183⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        184⤵
        
        PID:2192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        185⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        186⤵
        
        PID:3196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        187⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        188⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        189⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        190⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        191⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        192⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        193⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        194⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        195⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        196⤵
        
        PID:624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        197⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        198⤵
        
        PID:3824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        199⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        200⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        201⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        202⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        203⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        204⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        205⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        207⤵
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        208⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        210⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        211⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        212⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        213⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        214⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        215⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        216⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        217⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        218⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        219⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        220⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        221⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        222⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        223⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        224⤵
        
        PID:3376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        225⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        226⤵
        
        PID:4440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        227⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        228⤵
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        229⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        230⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        231⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        232⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        233⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        234⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        235⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        236⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        237⤵
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        238⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        239⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        240⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        241⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        242⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        243⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        244⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        245⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        246⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        247⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        248⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        249⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        250⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        251⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        252⤵
        
        PID:2240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        253⤵
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        254⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        255⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        256⤵
        
        PID:1956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        257⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        258⤵
        
        PID:4764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        259⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        260⤵
        
        PID:536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe
        
        C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N
        261⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N"
        262⤵
        
        PID:1400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        
        PID:4876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        Modifies registry key
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        
        PID:4040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yeUEQIks.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        260⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        UAC bypass
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkQwgEkg.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        258⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:2276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        UAC bypass
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ficIEMkw.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        256⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:1656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        UAC bypass
        
        PID:3456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkkscAYg.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        254⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:4860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        UAC bypass
        Modifies registry key
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zigcYswc.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        252⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:1940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:4876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkwcMAok.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        250⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies registry key
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        UAC bypass
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaEkIIIo.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        248⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        Modifies registry key
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        Modifies registry key
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWcoAQEU.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        246⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        Modifies registry key
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwkAsoEo.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        244⤵
        
        PID:5060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMUMMgQw.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        242⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:4320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkEIcAQI.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        240⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:1760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:1204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIoEIQoc.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        238⤵
        
        PID:1252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        Modifies registry key
        
        PID:2352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mqQscUQE.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        236⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:2792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUwUEkME.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        234⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:5028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:3764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:3296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUAcAgkk.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        232⤵
        
        PID:1140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\siwIUwQc.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        230⤵
        
        PID:1064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        Modifies registry key
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hicksokA.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        228⤵
        
        PID:220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:4892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCEcUMUI.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        226⤵
        
        PID:8
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEgUgcYw.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        224⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEggksAg.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        222⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:3868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:4396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkAgcUQk.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        220⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        Modifies registry key
        
        PID:3900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMsowQIM.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        218⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\liookgAs.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        216⤵
        
        PID:3456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:2812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:3272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZccsAYsk.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        214⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xWQMooQA.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        212⤵
        
        PID:1940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:4312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        Modifies registry key
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsgMkYII.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        210⤵
        
        PID:4860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        Modifies registry key
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGIUcgUU.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        208⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcQYcAks.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        206⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:2556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kaYQMkIo.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        204⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        Modifies registry key
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JSwgcAok.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        202⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:3628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEYYQUwk.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        200⤵
        
        PID:3436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:2796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        Modifies registry key
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZyMIkYQc.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        198⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:1632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUMgcckc.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        196⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:2060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIkoYYEo.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        194⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:4892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\masQAokU.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        192⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckwMwwUA.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        190⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        Modifies registry key
        
        PID:2800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKMwssQA.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        188⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCcMMUIo.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        186⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWwsYUYw.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        184⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkEUAMYI.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        182⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuggYgQk.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        180⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMEkgUgI.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        Modifies registry key
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKwgwYss.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        176⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:3856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGQIQkUM.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        174⤵
        
        PID:1204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:1908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIwUMYYE.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        172⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:4248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        Modifies registry key
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqUwQwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        170⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:3032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcwYcsQA.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        168⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQYQYocg.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        166⤵
        
        PID:5040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:4476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MooEgcsE.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        164⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:3956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWwMAYss.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        162⤵
        
        PID:4244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        Modifies registry key
        
        PID:516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NgwcogQQ.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        160⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies registry key
        
        PID:4392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:1520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCwQYcww.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCMUsgoI.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        156⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        Modifies registry key
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEowsUwA.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        154⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:4316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIMgYsIw.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        152⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        Modifies registry key
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkQgYkAI.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        150⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        Modifies registry key
        
        PID:2808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wuQUUQkY.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        148⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgsIQYUo.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        146⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies registry key
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LWsQgkUc.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        144⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMwwIgMA.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        142⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\peIIMggk.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        140⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:1596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BiwIgUQk.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        138⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYcsgssk.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        136⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:1632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMUQgMYc.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmEMAckQ.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        132⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGUkoUkc.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        130⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        Modifies registry key
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqUUMQgk.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        128⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:5048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCkIgIEM.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        126⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqcgsIEY.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        124⤵
        
        PID:1012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:4100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUUYMYoc.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        122⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKMIYksw.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        120⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSAAYMww.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        118⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUAAggcU.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        116⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LsAMYUMM.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        114⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:1560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyAkgkss.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        112⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        Modifies registry key
        
        PID:4568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGIkgwQw.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        110⤵
        
        PID:4692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwskwkIU.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        108⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skIwUkAQ.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        106⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        Modifies registry key
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQMcccIA.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        104⤵
        
        PID:3744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:4584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeMowwUg.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        102⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaQgEwMI.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        100⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEUUsEgE.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        98⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:3764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSocoMAI.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        96⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:2392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        Modifies registry key
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyMUUEEw.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        94⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOsccQkI.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        92⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMgEUkcY.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        90⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kykEcgYk.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        88⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FesswAMs.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        86⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgYAEUcQ.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        84⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:3452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwsMwAQI.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        82⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JswEMQoc.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        80⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IoEkwUwg.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        78⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uewIQsgQ.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        76⤵
        
        PID:2064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iocYUAEc.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        74⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqUgAIEk.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        72⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncoQMooE.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        70⤵
        
        PID:4740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NukkwMsg.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vIAoMUoY.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        66⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIcoUwsA.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        64⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies registry key
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQwggMUo.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        62⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaIMkMMk.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        60⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SIEwMMAE.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        58⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HQEgogsE.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        56⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DskMUMYI.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        54⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCYMUMUw.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        52⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGwwAIok.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        50⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqEccEMY.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        48⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aewwIgUk.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        46⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        Modifies registry key
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCAcoYoA.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        44⤵
        
        PID:712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwMoQAAo.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:3628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JAEcwQgM.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        40⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQIYYcYk.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        38⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yeAkYUEY.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        36⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YuQYMoMo.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        34⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syQcsckc.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        32⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        Modifies registry key
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwkIEIUg.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        30⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYAQoYkk.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        28⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgMcIMIw.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        26⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqcIcwEo.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        24⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies registry key
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqsMEAcE.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        22⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgskYwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        20⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yscQoAUI.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        18⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmIosAgA.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        16⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEUoUQME.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        14⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUokssok.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        12⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQwoIkUU.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        10⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUgMokcA.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        8⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4492
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:320
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4820
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:4356
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ssAkYkwo.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
        6⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2192
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3628
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4748
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:5048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EacEIQUM.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2216
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:224
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3536
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4568
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCwoMMkU.bat" "C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2336

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:3704

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv xppsGT1OuEegfXpVXRrOJQ.0.2
1⤵
PID:1728

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
221KB

MD5
a4c1bd029db10b589092db7518d37620

SHA1
66e67613faea4dc60bc8d96c8661a7542d704c2a

SHA256
3191b9cd978a13d9c0706b3b22780965fa01897f58c77e8f980ff4d105d19eeb

SHA512
5e06944ebecd647d94d1742f213a4dd2cc71d4cfb1988e182cb269df0a04d33273d8cef811d5af7efad57babca48455937842d8e58884eb010e2e03c9bcda079

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
225KB

MD5
da69f751d170c41d5776ddc29bcd9219

SHA1
f3c25a6531d92561588281ce81210d2fe95a5108

SHA256
2d081b87ef1966159ed0bd85595356cbb22c3671cb9156e72ebcd5177b34a71a

SHA512
536d77cee1faf3bafba4045f7ffc3c423ea9626af84950f19b4fef2a74926103d038a5d768a617694d2211bfd859279adafe2535ddb06f1d1a1a534d861853a1

Download Submit
C:\ProgramData\qmQYIEYw\DGcYEcgA.exe

Filesize
184KB

MD5
35d6b0f519c0c9c368300ebeede6d1e1

SHA1
d69893e9f026f3757896df555ffddc50c6cca0d2

SHA256
228ba82e41568b94d4876961affda5cb17960174bd32579a247252f4f56e13b7

SHA512
6e46d59da112738813b55fc6e391791830f757052ce89ae7aa9b62a9ec5c81a76c9316a44368b9a0eda1d1c6a24a283eb5fb6f6692b9b0d64fc6cd96b7553656

Download Submit
C:\ProgramData\qmQYIEYw\DGcYEcgA.inf

Filesize
4B

MD5
5f792518ca59ec287d897b331ff9ec72

SHA1
ac9d10d32e36314e76f8a0a03d42107fc57f2eb0

SHA256
fe190039f3d97d02920db122e957622813e47538aeee402fcbe35dbe6e283a32

SHA512
694f6b11676cc35b5c7cad39b7df11ab1ad4393eac468ede56098876fb570334bf8c11e471edfa40b06fb486afa12aeaa904018d2e5200d9e5a488639f231e3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

Filesize
207KB

MD5
6df69fd8afd9501ca058747135a850b1

SHA1
2a29b6164e49bef0ac4ae9277ddef01068189ada

SHA256
c1dd7c3572e40410cd2349b5a7a6efcd9e489b47796dd3d91f1b775d456249c5

SHA512
659e81f0779be4a848c77db6be43b2964746b27d9247e12995d11dbfd6b594d85934f1ac50c8b687f3299af0d28f74c5127c4ff2513241451dd9e42df944ebd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe

Filesize
196KB

MD5
fbadd49a651de587b4e417771f91d3ff

SHA1
16a111e3a6a25ff8b4290148e38a61650d4d8966

SHA256
b1d1cd66e9b027caf5fda96dcfadf79f2aeef1311669d03810c82f24ac3a4ec6

SHA512
0d7f4b3375fcd64726bc638639fb2a66850e255b597f24277a8bfab1893382a18cbec944fc64f899bdeac3c3787bbe9490f7d612c5f3d9acd70aadd4ce834449

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe

Filesize
205KB

MD5
dce96116a995aa612d30c05ef92b1218

SHA1
63d156b325c9629db181211fe3fed213281a10e7

SHA256
d08efb41c796613d69a9bb4a5fa076b7277c1f223503de49d9401cade033a359

SHA512
e3c703edb75d813ab0224901e67e12b95fa8ac8cbe1ee72530bdf88eb2545897e43b8397f11e1f4f3ece3cf61665248c74e747801168038b54ac20357122197e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

Filesize
199KB

MD5
38faadc6c2a37c508e6b84d381013040

SHA1
c6fe2ef4096af0adfa13f039c9177ffc9c334518

SHA256
7494c16ea8d97f6cce65060a11f741d97416f1cf825ad84f505f0ae001861930

SHA512
77eff39b306d95c08f4d313d020061be58b7dc5a66858ffca708058b7299348b1f66b26822d571fd89b9bbe8318f4bf28df765868292102f740a4ab42a333adb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

Filesize
189KB

MD5
993083036958b34bc0daf97693b463b6

SHA1
fd8cb2519cb450423b8a3446a41cf662ab783410

SHA256
32bfc3a6b79631c95cb74a1d8dc1e29297358f1cc6c5a7e28a288017babe2a8a

SHA512
2e372a16b15e18464bb3ef74afb15c60dce234d0ccba8a31847ed43903a5cbce189c4f706f9f22fc851ea7fc368c35c7df7cabeafbe076d34386b3c1e616eba7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

Filesize
204KB

MD5
0359fe114b6c10293a3b3327b57c039e

SHA1
db01e3fc75f6a6115e0980ab8fe0dd44c61249e7

SHA256
ac124f027bd7e83497893b16b94c6cd63ed724838f09e86a8eafa93d5a45217f

SHA512
44f2e8b79a75b4f182595768f5599d8a7b777a3106348238260658f75f03299305cc94936d5ea1da5e8b145993fade0904152a3ae3622992300fd2e67e8f5ce1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

Filesize
204KB

MD5
747b511e4afca6f342868037baa2758e

SHA1
9bf6be642dd3f3de2c08e89511b72d0882040381

SHA256
928b394aa2f516481ee03611f6db58bf087e7ec4c02102ce6db00437cc22a965

SHA512
174b5ea63d86971f4b16b2b0e8f1a27b9308c6029cd64c946d3376a777a50bac32991295ab9cf99da62563bd1e7f2c61dea03d04602dcb4f660220418a98821a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c01792ee255068f02a0fa3164e4c72f30b0e36c790699a7b93ccbc220b8b541N

Filesize
5KB

MD5
d3da5cf5b86f6745cc8ef8c572509194

SHA1
d14a1f924a0699666d9dbbbcc28a93a44094130e

SHA256
a6c27ed4815c775cd65ba022f2311b51b74541f875b49eba9aba41783b4ea171

SHA512
ae7d70a201e04535b61434a7dc504f4ea81d5d8512905a632d842eb42854a1742e090e4b5f4e509b3405542ec65c05d969cf243ba1e48524e96ffb979e3dcf46

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIME.exe

Filesize
638KB

MD5
1694dcb20431e98b7cf3d30fcd408c28

SHA1
3718187c47321a857014a7848d50784185615c09

SHA256
c391969f5550bf0588aac910d8f873c9c95f2339ca601406336f940b9b99b8d4

SHA512
ab8c19828d360dd250468a598a9e110af010355ec2b3be0fee099476731cf3351ea45b5844c2290f670141e4989d3ddac9746cef3574d467793168b5d3cb63cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYIU.exe

Filesize
199KB

MD5
75c84672d2787f43f154170cd8de5691

SHA1
1ee7a6bc91f96164eb3f74d4e8b1319451ed3d32

SHA256
98192798fe2828b7f76f56bc4e0a30fd4f5885b2868f9b7655ef004f9fcf7d8a

SHA512
f87d2f3ffdb11e6a4166d63d12fc29309af27482a1655a27a0777e78a71d5818373a79e748282aed6a980cb9717584b0e33ec4408db14f58885b59d2570dbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYQu.exe

Filesize
490KB

MD5
658c10c47c0056186349f77c55bbcb7c

SHA1
59f825a2f8f73b9b2c449c4aa1aaf01d1bf14134

SHA256
3f6c65582d457c35612f26f2f5570bc7240f6eff72eab31a6be0fa645fe7d7c9

SHA512
02972787368d24db41238b5a5caf0d63cdf7521be89af6d7179cca1d319fca9b7153926667e9337c17ed7838dfffaf7219bce715ee456d5ffb74f70eae5e8bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMQo.exe

Filesize
203KB

MD5
68e6d00aef7f6fd7fe96ba7f4acee9c2

SHA1
4ea9997904b021789e30d5e067f741fd8bcc5df1

SHA256
3882387c18fe328a64f83edabcf7a7444d0a5dc98c537ea1f4482cc2d05300b5

SHA512
290008354fccb30a4abe7707afba55ce3e6192e63404dc83a6394f0948a71ea7e05ecef2fb6c0890f59043c15016660d196c8e33e718b141f50d4cbd28c4e9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUYc.exe

Filesize
652KB

MD5
15c9fe61b489491fc50455e06fd48161

SHA1
f0243582fd119704136cad885597af3597dbdf58

SHA256
9188b6e5324a401319614121e015a9ce11c5fbaa2726505b59e6b83dbf4b827b

SHA512
754b74e723da1c05df974e79ec6f7f62272b6c6a8b3a60af49a623bf200faee19cd6e7c154ac30e90d1395ebfa58679c867562cadcf1ac49062bd8e490b0b60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcIo.exe

Filesize
189KB

MD5
71be722defb796ea2d625367317826c8

SHA1
06e5708c2b9fb0b41e96358efd85f3dadca6fca0

SHA256
efcc841535d8f5853aa554a86548e90aecdfd1f93b51e75518b931ecf74d8b00

SHA512
338b55dd6c766876ff5e12f060103b9ae9059b6476e87b76ac69b510532f3c34d4cefa20642ee0f77cf6575cc8cd9e07ebeab2408a76a64b9339be97df666741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ccwg.exe

Filesize
588KB

MD5
f7e5c558e3a73da9a48c9b7102415a15

SHA1
5653a1e9b789e316d6a23619d5b677735b4c5215

SHA256
36e3f853fd6c1c11b52229797b4945d5af8fc31b55faab6b08903f10a736bbd2

SHA512
712e99d0235276b386452d20090ac53e2c69e03316e3799ab1368cb96655d4b36463d48284df83395a28da71e7d3b3130973d72cc67160137c8661d555de76d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CokO.exe

Filesize
201KB

MD5
92019e249f13ec044ebf1fe73ed91b41

SHA1
ee64572cc0973b971bb4175de744f463b8962a9f

SHA256
10106dff662c7e8e830edf81419766afd006c461f80c1a6b49533ea7c54018ad

SHA512
31a6839933720dc0a2cdf1f755e9016def477568025562936c87ab136eaa64e50d936fa42fca1fffc539eae02a35ab385cbd4895dfb1caea1173e749df18d00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIIm.exe

Filesize
790KB

MD5
57e7579332118fdbc0ce21bbad43e683

SHA1
0d7020c2c0ce8f58ab4b21548787bd12d897f4d1

SHA256
556371c1320f5fd20c630def945a361f59eb1431ba31e04eea890b5e4dad5d0a

SHA512
efbb4a457903d0ad817e4ed7d0915f00cc43f05bea2c61e3d0dac2f13da3a0bf0870c2882f615cacdbb359934ff77183c4992883ad24420caca3799aa4aab138

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYgO.exe

Filesize
205KB

MD5
fb3d5e47ce1ab0457ad579fc26883144

SHA1
334fb7109d0559339743b5410df6875258c57d05

SHA256
859dd367fd78cbfd0f21a85118bd928c52c6f2eb9ba5f0a9e0b2db7b72729942

SHA512
9091cb33cc228fb58d523d8fbd4e16dce8df67edc86df7ffd2a83f865c4d688d0a64b918ce4a896b1f9705774c733747209e9c1ca1a4e38a1575e1ee06453b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcQo.exe

Filesize
316KB

MD5
9c5f4b673fe76b3805e9668d719f3b44

SHA1
c45c9609d7dfd59c4c548e9881fa7f0f9ee07bcd

SHA256
8ad74bd3f0e7f28f157673a5ba298b18429bb39342a363cb68c6144ff2b09d3b

SHA512
e9f23ad96d2a8bf99e6ea51c4f12157335f6b07b5953b86b1351b8dbaeae7c8a5d69f48fa8108bebbb395ec88d4838a2ce7c2416e1d24341898ecc430ae6b82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcwI.exe

Filesize
192KB

MD5
7974342c530f3c8535ef1015fa1f29f9

SHA1
e3cda34e6b6f695f7c059d4552fb04083db25fbc

SHA256
a5989f3d496e3817900aae2b3abefbf2fb6a22a694c45ca4858f1e663688e296

SHA512
f7434b803fe38a8b4925ba412593fb6f2e1b7d17b1d593c7ae26cfedad362eb32fe5fe5c18080fd6af2659b537eec61f69c8b4ecbc50336ab6ccc24e2d38194d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMYy.exe

Filesize
1.7MB

MD5
58048b5de3c6fa140a343be5300b5b25

SHA1
841dc13ed68d0a246871bf3de8633fce24b30bde

SHA256
556682b04f116d45ce982264fca4abc1c04fa05670d08f4a96955d50ebbda1df

SHA512
9a0e265617bacd123b0cbfbb2b20ab9ab0be3d1026e10f5c65daa53fe6d8e23296c286d548d503f1cb048a821ebfb6d1de00bbfa5d15feb23717e2c66767e060

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUUM.exe

Filesize
183KB

MD5
0dcf7f6ad7bb6e5dc45d63f0b31da99f

SHA1
a887bb5008e9902282b8c1980a74addea08de947

SHA256
c2f493754ea7278714d5194ebbab5dd27af544f0490ffd1495c24969a2ce000f

SHA512
41788c12301f5feebdc25152673681f81f10080b15f6d98124ec90c0531f501eec03ab83e689e15eda2456e919cbd65010db0a8538f6af962e4b2c1f16232786

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUso.exe

Filesize
189KB

MD5
4f4a01c1424d1d3be6333a3af5900c4b

SHA1
7864783566275d32391f5ebc5c1a775be064557d

SHA256
66d8a6cadb0cdf0762b49057650450db31aebc0d2bb801a0232c6c4129b22bcf

SHA512
093c8fe3512da658685aa53d42344c433668ca37ad3a4471bd943f49a43b2c4745c5ea3f2cc58ea9eb112904a80fdf3b67c887ebef82bf02a1c94a02373ec3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYwg.exe

Filesize
192KB

MD5
bf1c75a688b4d7ab649b4b9bc8fa7769

SHA1
e4d4df6fa550f616427214974b726603363358c8

SHA256
c06fa2ce139b785ee630e0558a31cb7b3f30fbb33ef1c815989b8adac256b3e8

SHA512
e864661cf30121a6e2bc6f78050a3043d2750af6dc223ba4ce638d4bc5354fc1bc5b416657ee16417f283219a3aaa69959818cbe3e32fe7f5420c688ba6d3a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcYI.exe

Filesize
199KB

MD5
bcbf947b80170966dfe1b71c2568083a

SHA1
4da5538ce4ca3b7fbff86cb589d43d584cee77e5

SHA256
542b102c9831b1fdc4d312fb96e3752ffa764b28b0c7adf3e84ee487010fcb96

SHA512
02170d32cb0b0a0d7a9331e2789c7ed9ea8f812c1b6d59e42ac130f5d1edb91198cc9d414b82df3900fdc57adef9eb28c04e104252f29105c19110fa5aa43b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIcc.exe

Filesize
187KB

MD5
d9209beb321d3ffcd76ff1c06496f2c4

SHA1
0416c91b0a5811b291a87371133ca8e2d272f112

SHA256
fd9fe9037e92ae087894f4c0243b1d25791234224c4904e5e1f7448d93cfae3a

SHA512
c1f49a9f86af76b806c2cdee8beaf61eb253bb3f1323b2e171d6b5ed3d1943ed68be9827ffea7aa1cf6ba978c721de5c964d1149ea8ddc1d4052bf66610594b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcEO.exe

Filesize
211KB

MD5
47cb918d1ad504d2e8eacca3255ecbf6

SHA1
fbdc3307294113620b0bec70f38bc38c80e9dbd2

SHA256
0812afa383f995ac25aa4174dcbd056ae01e83dafb998dfccc89ff49f667d623

SHA512
a9d54d7f21891a4c2f6a63459178d6b369d1ace7b22c8a4fa9410e0774e6576b347b1541ede9248bc48e32363c29121015b677023d99f3d4e8b4b738f3e8b765

Download Submit
C:\Users\Admin\AppData\Local\Temp\Icwi.exe

Filesize
202KB

MD5
46ad4766e117162ac80761e367d5e4b8

SHA1
0d6e9c604fe4d0270782c5ad1a81dfcd9ccc0911

SHA256
1e937d6966470d34e52c55461e707d3f399551af2549104f8f9ae48e0c36487e

SHA512
ca401242dfdf097592c52d2a07e1933d7c57d271b65e67060b9715e873d1eb2bcd835245db654be1c91a4ec215b241cee08424a935ab6b10afce15ec7d705771

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoIg.exe

Filesize
368KB

MD5
4b598be63c6c5dc294a368a85e86c664

SHA1
68f397c05e6ab686a2baf32ff824bbdc372198a2

SHA256
73218546fb8cab648fe8bc0865050786d78a478a525160a13b5e9aaa0c922cf0

SHA512
d5828d2e26c82d2c90e01c5b1b41478d251076a45a700dbb20fc9a64e4238dbe8d8db8e0344d4975b4f16059e0c153b50bf86dc5876df42dc378231bd644ee75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iocy.exe

Filesize
1.1MB

MD5
8076ec3e288cb9e745afa74699ab6b9c

SHA1
3fc4d10c7b67d556e947dd015ff5465862924d9b

SHA256
b1f1a41ee649d73465f696a84f42b3124e26d0aa836d328f42b9e71a11c25ed6

SHA512
a6888ba76624bb92937386e68d48b3d4553c267004a3ea169834042c3016c3af6082862becf89c29a9c797aaf887a6277a63132acaf6d3a750c11f76acb33e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iwgy.exe

Filesize
648KB

MD5
8b1b217388766770324b4ed8e08cef93

SHA1
c64937be46697721b0b4ab0398bc3010db161948

SHA256
ee41911cfde577525222c82d2635de502a6719dc1e52e0ed9466a38c5ea142ea

SHA512
8f21f690f6d0067bed14e210b594c4daaab4954803b4432537b3ea5167a19d36ab3c84bc3bc2be98ced4ae301e006e831a561d63b5c0ceabf50f697b84245adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUYW.exe

Filesize
233KB

MD5
70489f422d8479b99bd50bc48f407f6c

SHA1
c1cdece8f44cb5340109b4bdcadec459a104f826

SHA256
5cd2067147d69fe047e26dc4357ce98fb2411c28a40e634186ecad149b76d8e1

SHA512
637e640b0df84bc70d0d7b8f56b7ff53f3fc3c9bfd2c2c03282ba5cff3b3e637e298b49046e0222157e5561d4d780273799b813b46bf608fb824ba5c073cb6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYEE.exe

Filesize
812KB

MD5
14b6d5a74a786e67554fa6f115bc4a88

SHA1
f92e890cc9a2444bb4b0703d4a75b6cfa70e611e

SHA256
bcdf8f92a1996f0749092ebcf519159535dc4211e97fbfaa8435e125b0ce7891

SHA512
e9f65d0d3fe8b5fa3f9e3db2ee2c5334b859036f22603951a1f4c523aa7452c5fc4834e25da4674a092ee8670dcbfa2911eeef778968042ca27c79303be259d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgUK.exe

Filesize
205KB

MD5
4a22d43647075cc512182a8381783bb9

SHA1
a4f2b9ce2c3eb611932d1d27ed493bbc4bdd7845

SHA256
6bfe7be0b8c54a0cd82c0b7d6cf56181cff6f1df011cd07a22f7ff508a2eb9fc

SHA512
80b558ae64907cff28b116dd327134abcbcb1f8f42272b4f73428551aadad5c9362cb6b501ba3fcbc5e503fc2d94c96ee10e161fac6691a3e639c78fbecd4333

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkcK.exe

Filesize
192KB

MD5
c25582ba406f1fc560702a6a5865a47e

SHA1
77f6c67432f063c318d39f7843f6539db034da2d

SHA256
a74a75f342703bfa78e3c6c0bb1e7299505726ecc08e025d083fa4949acd792c

SHA512
dd57369f4b73d01885abb2ca339eb8094a72157e09bf1072e881b3fd039fa2679101628f7b50f733ba9b58899a2fa1b4f11a18da7220c757b83bbde6e4ccc148

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEwk.exe

Filesize
207KB

MD5
44255dba615e2830979a35c1d9d48458

SHA1
ba7f0960fa755a3057b412136ba39560b47ed064

SHA256
b5cb39d7179acb99ba98a9929456584bda75b9dc3a2ec41a81584b59eecf5113

SHA512
07a0fa28f54e9c06e7a2fa30cd0c37926743c1f07a72580dacc773c3ca1368f6269cdb6cb676dd2ded80e6b9bb478a9f5ce3718d8e4bab104e7820524d26658d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMIg.exe

Filesize
188KB

MD5
629a3f4692a2e8755ba09262ef91dd4d

SHA1
83ca69f572ea43f0c46ca1afac8c3ee4c2e714d3

SHA256
f9f0608ccba409a4a4c6710f9835a1733ee1884d5b890dcf8cc6030b0c1a67d1

SHA512
b1134e4cc39c5124a3ee4e856ead8967b03a1320c4c04256fe11372752115cdfb34fb1075ef4cbb94eeff90fc63ab9454d3ff95bf1c1d0b2c6935c2a55ebcc8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUEO.exe

Filesize
871KB

MD5
182efae117f07681daeeb500007caeab

SHA1
eaf3bebb1d7455fc80b57f14ad6e58c9c2c9d36c

SHA256
b58d9069bbd58db4bc1c3cd26e29bdc47e6fed3b6e196a378a6d79478a1d9465

SHA512
34ce90b07c635220a6f0a5a431f25a9e455fc636e40d5556c9d41803b416646bfd51cbe70649f478ae5bd5fbcad8f6c1370fd8f7b3f4eb3480f7a12f6c8f7d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUoW.exe

Filesize
210KB

MD5
5a7a302c8db2333335fd979786af9fcd

SHA1
dc175c93484dbee4a31a0a53b9189d9acee2f279

SHA256
414f0e7c68821cf5585142c6c84a0ec453c0f4dad2af18393d0a3c6d541c7f46

SHA512
cb9f7aedc68d964a4833ada1a04d8e4ed0a83c4fb7d4f196de5e71dc297706476eb9c6c60ba38506c49d5116d63511c19c7fd5488362de9a7684fa485314a4f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\McYA.exe

Filesize
1.1MB

MD5
b662a3d584236232e2a6780d27135442

SHA1
871cdf4c7bd86719f09cc48678966297ababb01a

SHA256
db1a56290f614f0ed813065497ce14bcc98740a701ec01f2d3876af59be65a3d

SHA512
2317dda6c12fa764161172c0cc505a07e035edb2c63aa81d650bdb048fc26b670b769fd1a1f1301453576726866d69e81613921375c273f94ae87a6e5de770b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgYS.exe

Filesize
213KB

MD5
f9569231d5e8bf0963a71ed8cdf36759

SHA1
6fc725392a2b5cdcf3d9d8b0194f5c24aa132d4d

SHA256
ee3c60df3416ae930c323b542669b482d598ed01ecbf2dd61a2aa0ec5b9bdf7e

SHA512
1bc982ece605fd357dac83209e375ece6ddd679c3a4ccd7428c13038f37fd6a709a2d6c2db7edc18d9a1986e1bedc8bc4ba079f806965834ff76c95c93389b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MswC.exe

Filesize
248KB

MD5
b932539cd85a36c280a0d61c5e443a3e

SHA1
00826abb4d3a1de9889682bc1822348af1eb56ae

SHA256
01928e54bf1708df4f464b0a831ea7884fd061c1cbb03d7ccfcf3e4ef025855a

SHA512
cba92f7f6706a194526e1ae001e9ab02f597a02578909e7ba93042d616cd7e0c29d7d2c9c0e933343ae76a0efb37d5bd002691da9128c173922593cf17ab2f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\NCwoMMkU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAUu.exe

Filesize
189KB

MD5
3c3a4ce8a654ddd954ab154ac4176a3c

SHA1
c4573850e999f45a58ba4f6eb21675a2188f8687

SHA256
5debdefb40361164794d56a5fecb63af61f427311e48af42f206a5d848032cb9

SHA512
09fc9a4f2b5ba5cc40bc6bfaa1442f745a622d3e4953ab669f01ee69556634e8f5298a04043d8687b61a2b5ac90b17687e69109c39501d2e6633237910b9cc42

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMQm.exe

Filesize
193KB

MD5
efa8c5043182630d0095ba708b1d2a26

SHA1
a046a12d077a21c4a3e8cc8c2d2e368fbffaddce

SHA256
e880f19a273b6e2d1d568cc5eea96e88bee503898144c9e4186397641d040243

SHA512
af9a293e0fee37154cdc586b7b275cd36e2af5632384dc1e2a8d459e1e860b660888ccc78886e8fcee1c340f73a14deb888879f3e531e0821b177ddbf7a6c17a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQMA.exe

Filesize
1.6MB

MD5
c9af4d3e3b9f131b35aaca48d6c2a531

SHA1
5955f3a43a28ca4eb7be288412eebba15c908124

SHA256
754c05bac62fbb92ae80595fae56a44cf0a85f31b82680d03523085dbd530cfd

SHA512
c636cc338bcf9b5d1fbaa0ee2b9b4294e0149fdf2bb0aad1124b9e41833c5c100ffc99c7c6ae6c1b5180a139ea44502eea847a197c11f2d252c5df6e28e75c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQoE.exe

Filesize
627KB

MD5
da28d3a3e336e6e7199099a4f649fba4

SHA1
b907f2ae61d6be64fa4c53464ea966104247cd38

SHA256
24ec7a6a794fb99622fa16ea09441885c12d4cbe0116a192cef095bfb966241a

SHA512
3cb74d83dc0d9d2c14021f2e13a7ae49302f5d06fc28b58e6057e54f30a7f8f3dd120fcdef0b8334c64953824672a041d27a19c629b7ea1b26f7f12422ee6e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQsu.exe

Filesize
835KB

MD5
af8e6c04d1246a5de840c26c8a7621d6

SHA1
ca669570590222ca0e25b17bf0b8494f639b736c

SHA256
814ca231a1b35f10a912f0e3a2505be7bac65cc8acc41ebc5057995bdcab2d17

SHA512
51190f9d6eeec6667f49c383c6f919406aa7eb109a7d5d0d690a9557cf505f0b8961923a9db0dc9f318363528ee0a21f4fd5888865b62e12f329b9da16717afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcAU.exe

Filesize
191KB

MD5
95d99bb68b083e9fabd55dfd6850fcb4

SHA1
735e0784d0198078ae88cf152fc5f22beb9967a3

SHA256
d898b8720c3cf2b6b528e24b580d31227bc360ec82d6923da3a736383b738e88

SHA512
63901b4147d517083d4f430d8c4a531cf580f28529f30230f860aec4107ea716aeb39b273a552da607fc28964b1fba6d5bea6d95ea154c64c50d97e32addd169

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoUw.exe

Filesize
1.3MB

MD5
ffa325ddc713dbcd9e26e5ae8409745e

SHA1
86aa1b12507c624bf722f611bce451a7762e5897

SHA256
a64b0883820becc817ae8cd64dad5dc1c762e28270bf049f4aaff0719818f2b0

SHA512
01440abaa5be0274bf6f1cd3b8c2aed7e1022b3797b6191e644a41a7fc0020ae65fe82a8f382d22a03f0ea143c500fe2dcb889bf1b0bed77fd2d9f3bc8c6fbbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ookw.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAss.exe

Filesize
632KB

MD5
3a08f21f7af5f690e14d0059401fa701

SHA1
b81b915e2186ac6fccb7cde5c513d52d896ff55c

SHA256
2c6f85062dab5cb61630cb26149c65ec401a7d455cf1a17476767d2385c7ab6e

SHA512
3d76ab75a25e742d179a3dd450a843688fecd10f036da034ae718a10e57810871af51c911a2c0a9e80af06b3c361f6f478878688f0538d41aea40333328725da

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIAw.exe

Filesize
200KB

MD5
02f7f473fbe5ebf5c61bae9ff9692d28

SHA1
2507a54bbcbc34dbe7bc18b8e6dc350895050850

SHA256
6e5dfdb8cc2df34ee18c31e4bc8cffcaa485e646c98f335f3ccb4e2376dbc880

SHA512
ee3239ba75deec47fae0738f321d0eeec39fd237b6b642bd6063b1cf495feb98369176273a612444b9146489992403e2e9ab7ec0a54d3a6187920ae8e0b5c614

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYES.exe

Filesize
187KB

MD5
08cd4a88a621a7f1d0a82b6e6eb3bc25

SHA1
61a5d4a0041f46cfb25b54776ad775d750f5ac0b

SHA256
7e7a6a0c57ae97ee2f8364637a8f38c2591c1442974ab8a2829760d2340cd25c

SHA512
a181dc32a11ba089741f3f0c7cd2acbd2540d438397af5b33e1317e173b0a9b30f96a38b8ab4c90249947d3bf2077fa6ac7c9c6e9be39b1ae34d8add3c3bdad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsME.exe

Filesize
188KB

MD5
257586e70e20186fd4d104c8077a51ab

SHA1
fe778d5c997d4e3680cd3b96ec890d380e1a60e5

SHA256
19d2825c99f795f13833c1cf77f196565b660940c2687ceb107ad38e5313268b

SHA512
4250c3dde1ff4d6de41096fe3394694eb19aba0049561aa8231487632ae6dd2e615bfcb99ccac1f48612c22e1da8ab752f16a291afc42e1990732fabc9c5e2ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ucou.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsYS.exe

Filesize
205KB

MD5
7574233337ff212e2316aa558eff6995

SHA1
b599b1e7d220536e46e79e85e9339ca66835a817

SHA256
f96427487d874a9d0319c934b830cf8bfef99c6770ddf886dc37cf2b36d36a82

SHA512
39ff9ef49d0d7cd29204d76256b84848557226c3a67523f68688159ee3e9a6499c5aa6996c724ff212fd6d4f03744a1c78defdbd4f1062d4adbf659ea4cedfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wkcq.exe

Filesize
329KB

MD5
13aacfc36532bc173b4857ebc56c4a55

SHA1
311af2deacc7214f7d424f2b2f138d2cbc0f1066

SHA256
2c8e3a4f12b34c01272fe2154b5c88f9fcb62c73818e3998536fade464228a04

SHA512
a0d79de0d6abff6ed20e5efc2016b123836950780b587f8b093da976a3fde66b58e5dfada98154327dfe367abd9b0ea7a9772e7e38a10b0e49fef9403a02380b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEcG.exe

Filesize
1.8MB

MD5
b16e6a470073e934ad8080736eefcc6d

SHA1
67d544b94e5990c4b520dbc6e197264ea51819a9

SHA256
8312b56d93b051e6547601bc07e90fca67eab41098693e6c61b634429d0ea3fc

SHA512
32b1c80f498d1e18f1120125fcab70d4b51349973576bc8e3c6eb758c744defe980d08b0ba50e94491ca3406e86cc43fc88ce3f60723f345c092765cc7a350ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQAU.exe

Filesize
209KB

MD5
a049241d68f8c54a9501aaf29750e381

SHA1
c51fdba0035f3c5891517f916c70cb3b53bc7477

SHA256
28686356adda7f5bf68f75859b883f531bd7a5f357aa3dc4f3ed8fb5d291797e

SHA512
aed01533c8e0f76600fe962d53571a7765541661a22600d652aaf2d60f7efa45525702bf5cdeb59f5b21fb6e9a0588ec12b296a055104f71856f3a2f746d2e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkIQ.exe

Filesize
216KB

MD5
4c65dc06e5e5fc9afdc61e63d2bb2997

SHA1
d3f5cff56150de98624be4fee88b6c54af81d9cc

SHA256
3eb0b49eeaf79df06ec80ed8ef99984b6f7dce395df3d5c2804ca10a290dbad6

SHA512
53507a98a655a1e7895d0e238ef05f3964f6978dcd9e2c67c32a2a16c04d7ecd9a69de900852b79c8377fde11c15b2744b69116e81b9290068bf71862f665594

Download Submit
C:\Users\Admin\AppData\Local\Temp\YogK.exe

Filesize
186KB

MD5
e318dfdbbb581d3b15da4f1151ba4f57

SHA1
0fbe2dc484a1baac55194455ea8c19dbb86631b7

SHA256
316da97b8055183dcb18acd745a5a45d23916b0a34f4a0cc16cdd87ed134c6ea

SHA512
f8894b2d6e48d64213251b55b505345ded0e46f7f328e3ca826a37956c1dc46f414765220dbbe18d868bee801dbaa40cdb8aea9a5d1c01f7b8178f592c86f0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwQq.exe

Filesize
323KB

MD5
2aa698de1e8540fd53ae69e65cda1d15

SHA1
270ae3863b6242147b48e9e92278b3c3305083a2

SHA256
4c8d9c399a458f579e1a3643df254e7813b66bf126f68c866005d70def8b203c

SHA512
341b2a07e17ba180a4d8e80b9c946ab95e50efd39423a9781d1a11079581b1cf0f1d276a21adb5cf0decc6fab40342675e4ef0c5f9bb54f66c1486b5f0d385e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAMw.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEIw.exe

Filesize
429KB

MD5
95726bed50dcb2a62ff7b44cb9581ecb

SHA1
3cea45e119c699005330b67a5640046b78124092

SHA256
2c4f9df2084960738a788ae87e2e5b8566d690746e9f952f95ad9264a9a05e4b

SHA512
133e6ae1bdabf2875a2a45e788fddf2fc451f31233db810e92b10f86c48a7720a066abff2c84d536ef5380539a8d5a71ea15087dce8f8e53fd0718ad923cbfae

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYAY.exe

Filesize
706KB

MD5
0d139cd708740b4bfb07d61d4c8f464f

SHA1
cead091d7d2a53e17cd6563fed785db4e8987caa

SHA256
790b1d21ea4084d47e0acd4357f656f3ca49bd8ceb7d54bcd37f34386004b3db

SHA512
1f3c6d4190b50df014a44917684ef01c1e8567ca0d00ac9dff5ae8a2572f2cab0558fc5dd8adeb12ebadb4826c3d5a25036fad0e2a2ea5368a58c28399850e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\agMi.exe

Filesize
190KB

MD5
000f9201cc9594f77fecf49cef589bf1

SHA1
6ad9abb627256f364b453d78b2bd39aab6143e64

SHA256
29517cd9cf58a14237dfc19514d1ae26bc29f4717f83a110fa77df9fc6529b39

SHA512
0cd24ccc59337b5b6431c09da4519491332ddd228cc83bb1b3c2838304394a1f103b33fbf6e8fb457c1e0b87cff4d321cfc0c00dc8c65cce8373d2b8f7726568

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIYC.exe

Filesize
559KB

MD5
a5b1a5558fe8e122e73451e446abf343

SHA1
fb3dd059f214d516a40f02d31753fa411306a8bd

SHA256
f83eb52b0c28e256e3d437b83bbc8c5bb602b692a793b239833ac5b1ee452d9e

SHA512
a41f0f95daa9aad66e8e50019cd2352b72ac8373ab154fb37b07430d7c824a4746117b36fab95ac704c836970b19ed6c5466ffba414e2e283170276353b138cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUAc.exe

Filesize
202KB

MD5
68f0ec82d739d0e78f113025c1de9bab

SHA1
8595f6915eb3fac229c607d299bbfb9420dfee43

SHA256
79b16451cd476495f6ae4184dced3f607497e081688b357471994a25d3430dee

SHA512
1a1b15075242056ae3ea8a22c5dc1d4ec483e03461823b00b1abdd6fde3aaca50682367ef121fa126d203f3cb68d2e81e83e8c9b237668b2f9f4ac3acd374b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUsU.exe

Filesize
399KB

MD5
85c6f4720b5fb7d2ee56cf04b1149454

SHA1
a7d42329cbbe9a11e9238f359acd81db333d8f8b

SHA256
e9031300389fb716ac632da12952c42a5de1854024f1d94e2c6e0123e26255e1

SHA512
3759854de3716e9dc70ffd89e29628fdb7c637e447fca6b19e9169a10d4522d8883f64bced8c5d1f4eedd1d618638d23c96b5eea5b59c51b1b3388c4b1c5eaf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccYa.exe

Filesize
190KB

MD5
777af1d6fb4736e87ee94ae08a0d573c

SHA1
01b4e5b91a3aab4ae17b56d141a13dabed8af6d0

SHA256
79d769fc75cdd82456b081310c9d182e38b5b4afd4e42c08bf9e4c0471a07f39

SHA512
d7855b4d865dabb11f28c7f3551dad88f28ebd379a41e38217da9834c062e2c5941ffcc02bd19d7aff0c1d8721baf123b6e3bd6d3faad2bc3aee49153cd6b2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckES.exe

Filesize
192KB

MD5
6cdaad6059e9774fd5e2f0c55c0b730f

SHA1
e48261ce4a85513f641ad4551abffaa6f0e8c610

SHA256
4c61d2893774aa694abc68eab7b75df4810946c5e1d0a43436a094a05ad6467c

SHA512
7832e0534a93c65002ec26057ca86589fa4d3ac6859ba0c7bf2a7b02157caedc45f0df127345fba6327422c58c699b4a784b94146b2b9d091bd701aae7b43452

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckUW.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckss.exe

Filesize
229KB

MD5
9c8b3dec1dd3027067af38c78371d3ef

SHA1
b0df0ee7be4f87491eae69e69a2a122464a45191

SHA256
f0e217fb98392d44cb5bb4f8f198f902df3d006aaa2332ed1a1de392f2ba17e1

SHA512
709b2e0241fd4e6f5d0946562c474f77daaf1603b6cda73c5602d838597db7e4f2e59ba4c032b565e09f771bca2b1e06f08e23726fd01c362817299ca388c4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\egsa.exe

Filesize
191KB

MD5
198d461c7baf8a95854d271550034d8e

SHA1
2ed6f24249e32beb2844b94c80532c9539514127

SHA256
11785567333d62677a384e677a748c120290e6bb4d1a3b2439ce40016efcc7f5

SHA512
1b40ed086656b2b75479f8de3e0ec7550de4ae943f87965e2a3ab71a28fa3a7aa077d0be65df8fd66d9971d62754a6e6477f3d65207b944dc5d782c08a7ed233

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMwe.exe

Filesize
812KB

MD5
fafda2ebaf5279093de62b583ac43fd8

SHA1
7e148ad0cb988942dd57f3f7077315a774d3c14d

SHA256
f9c82bd59624ee248cff019543a6b47315926d203c15122a62f088be7f4e190f

SHA512
032b8783d3025ec6422b3168130562d3e9c8c81b61bb65a52dca0530ff85cec1c6b06c8acb864b9fde5f996cda235ba99fc699f895096857deb7e26cad795999

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUIm.exe

Filesize
188KB

MD5
d11cd380825333e30efa2e52278d3b31

SHA1
2a424dc2aab36e9dbc78b8be073098ecef5d0563

SHA256
2af534a8db4ec1dfdd172249505185e92673890013f50919eaa5dcaa26402052

SHA512
9b830be26abad66f7f4aa686bf4d4fa6220e678846d368ad0732266a493a8d20f9bba1ae142bafd586445e93ed90269041b3db52fa53493a65906f3dc55ef6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkwg.exe

Filesize
771KB

MD5
cf033fc163055a35058a603d74e08272

SHA1
d180209686887a1db813fd9d367aeb9881bf7fe2

SHA256
5185f49f0d448b8d2dac8d53e707910ab921d4ff59fcfc1e4638abec9ce3512a

SHA512
eda4eb065df8042face7301bd7dc1d1ed3c4ba6a9ba233bcd51c6d10c8b1b8e08e169651508a241e0bc8cd7cc6b9b844758b1d7f24b8eee008c4e61798616858

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMgM.exe

Filesize
211KB

MD5
5b169a2a1945fd273f074de4aaf88839

SHA1
8b5f96e86ab1cef807e36907feb55877ed40ca88

SHA256
9427f221fd34d0ccb996b385139cab65c7fc017b27f9af4c14ca600b83101d0b

SHA512
ec27e4c9a01f0afa25cfba1b5037dc47c5b274d8fea9a57412106e018346f698a7e393db3d7a1dc731595acbc7eecaea902b2b3d29519392f0b5851405e594c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAEk.exe

Filesize
186KB

MD5
f798dbb1e1fc2c4134ac6c7b6d1a30b1

SHA1
0bceba15996677ae12f62a059071c3796ceae8bf

SHA256
e49b2d226883b38cca86969b32b6e37daf0a8858a535c0f60998df7241af86e8

SHA512
05ba8b47ad80ff7e240a02fb877b9df3d86bd1466208a603e74d145f569daf7cca8cd66894efbdfa85901e494fbb5bfd6259d963ab3ce902c94cd9a5d371cdba

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAYi.exe

Filesize
190KB

MD5
471b4886f0df97c51cb4dcebf223ecf1

SHA1
7ffce02ce1a866663e8d74fc4065dba773b4286c

SHA256
ad90663bfbd5628b9a9bfb300fa78649e1c07d8a51a868c27833f3ce94ceb55c

SHA512
334c426ab198fb7afaf9d66b9e2399e65ec1d4e8f4fcf6dcc51e06e8c0264b7b6c0fb33b4d83839d55f3712b738aacdb64a85988c33a43d6080185d2d2cc039a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEUg.exe

Filesize
786KB

MD5
62d3d4ad95c8cf5cf125f1605fe8f85b

SHA1
e2b553c76caa34e73ac06856d6a32033153aa2f3

SHA256
155fa2c00de55aabd13fcbafedcb0a0f69265c0f7e938edf01e3503379549467

SHA512
98ef70cbb1261f6e764530af0bf6829db1176acc63be55ce93e18cb180b28cb2eee0cffaab800d21a56f321b9f3fb8e7c453067358c9d33abed0605883a0025e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYwm.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcIc.exe

Filesize
375KB

MD5
91663fa535bf75b3256b1b041d7d7006

SHA1
dfea980a1e9a45aca311f3a1a4bf524cabb5f871

SHA256
6536401b71b592636e6785aa30fe542762bce5135300c6de52bb90b9f0ce23db

SHA512
9c623fbf95ca4fd4580177b9f2c2e36812e2faa581813c2c02bb4417801007a8b6bb409e9934a7a5a0473bf51e0e362f07f195ab8f41c9a9bdcd43a8b93fc5c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcoy.exe

Filesize
212KB

MD5
f4aa5e56829c445c54deff184415eecb

SHA1
b3974060f7793144d888a064222898b3c405aae1

SHA256
c0ecc716c2b4307d1ee01a92597354b19395244f4ff92c6e79b9c144a47033a0

SHA512
adcfad1f8482bd75ed9c99bfe1241aacdc27445a9a162cf839379003766e85d72574457ea26a48addee25c8afee94a31a286dbc30f6d33c67b85262a2da980e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcwQ.exe

Filesize
202KB

MD5
0b23a885e1cae35f674628c6c9ec692b

SHA1
1e937da3bd08fdb7f962ff12c78456f7e70963d7

SHA256
9358e19f0b7291c70d1166b5afa719622df05d95f809abd1f44f04dc3dd96536

SHA512
9f6dc6baa6da4619d7af6a400cbd3c63294adc0a5e369907ce265783a0aaa4d3739cd6af139280c1c6782a1ee051389526a1c7e5c549a4d3ef3c913dc716d2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkYM.exe

Filesize
210KB

MD5
28b3cf99121c520cda60e1a23b1fc06c

SHA1
18c730991c5b4e45fad0f82c064d4cb0c0953c1d

SHA256
71879c22b9a9fad217fa2e929192c9a5e8cf6394dc7cda150cb670388a040be7

SHA512
761baede2321a5154e80d9edf934682f6ceb04f36a0bf22e098519db4b159c406950ab76b8b69ee7e78ab8f9116b873a8aacf49d62b31bb1a2256130c53b0d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkoQ.exe

Filesize
186KB

MD5
41bdddde5998cd4283964abcc5d26a73

SHA1
d44f224b7bd46b17afb947e14ab12b13052792a6

SHA256
f016a1efb7a80b520fa6ea1c14047b932a2461735d057620e1df2d37293d02ce

SHA512
b786f5d9ce3650e71896fc87abb43dc573335ee679fe2c7e05e34fc5f736f4775bdd24e815856d12a928dead8c85df56eee5a8b41118733e912e89cff8e00417

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksom.exe

Filesize
639KB

MD5
7a3e754b5573996dceeb0ae5920e6776

SHA1
216de21490a791915f9d6c914e087af41b49cd7e

SHA256
8f5ad4ba5830227fbd79b89bf6de793ff17a9a557ecacb67c5507c0790972879

SHA512
61597bf89572adfc9e30e13bab3dced23e3bdb19a49737ccd3f41ac38420416b99c0b8f1f49677a358e95e0c22fb5c85be1daa3a586e1bad35c1012c63fb7ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEQm.exe

Filesize
229KB

MD5
c8af16f81d5eb71739ff8d55b72753a8

SHA1
a65fd3874b337a7ecb4529062fd9d0c51d2aad14

SHA256
6f5b63a2859374e24f424b2d93c1c1b139428adf87ed6fc3f015b0b4d25dcae2

SHA512
85a960cf603afef74cdd754e4d639e3b1c08c31a0e7c2b732b25368b7d30796fe1087890ab3328d6bd401dc114e6dea39aa3eb5075691fdc0dcca319a0aa1377

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIAc.exe

Filesize
706KB

MD5
fb8e51f03ad8f3a3cbf9cc927c7b329c

SHA1
45cb98c1e32c6001d8f7cfdf7e85e023ce07058a

SHA256
28fda9531755dde91cdce029f83428d654509e7edcaccd4b54631c60f6cd1afd

SHA512
2fe0328e68710d540a5a44e2befb54cf1275a22c121fb44ca435aac8969a0b0be51bd7377590cd7f49971cabce3bac48d1965033f55e3905b0cc3e93579a7ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMIa.exe

Filesize
307KB

MD5
d98001bcf7ea7f9236ebcaea789dac56

SHA1
1408626cf7892dcb114387f402fd4a692694f554

SHA256
85fd53da2b80f92609490e25866ea4c1b6baf805c942462bd59559347a9cc359

SHA512
0e2da84794fe26659a008cf0e0613cff9e009340ce543138d6243179eac32f0bc0acbceb50b54920fa33775818595c575d34b27a3de14f388f107472dac4302c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMke.exe

Filesize
379KB

MD5
1cb1a67369e0f93ccc1000536b2513af

SHA1
554fe17ac2f8257a0711ae605610e7e668da8688

SHA256
9e4876e3a10de59be8e9ecb804ad8e8219643b32a06fd197e44e70aa3c7e1aee

SHA512
c53145fbbd231724084c4f599e3748787add913e78f0b556650011611aa6e675b16cf4db4f76ad4aa8c3d40216c652ea19db6a7e5cf015f0367f31c37684d84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYgI.exe

Filesize
324KB

MD5
6ae34782dbc85bfae180da621698effb

SHA1
18d6b473ff2e3e9fff16ae730a79ea83153c7eee

SHA256
49ef4127729f0330aa64b99431e63d6a0fd23a405e0f36995334bb7b7753739e

SHA512
e67fb17fcfa4da692e2eef188682a9ba9fd2ce10ee9abf65073d2b941a7d3d32e5d8a0ea4d719efd17bfa63ecfe3027ba4784e52e006986692ec4f8b04892986

Download Submit
C:\Users\Admin\AppData\Local\Temp\mosA.exe

Filesize
256KB

MD5
d0a5972e4cb8bea4cf42dff90d548350

SHA1
70896bf2917e910311cfd23ade11941b4c5982c1

SHA256
3ffb964bdb68df3fd830c891f71a6cd18de0efe3046d08f561db4b961ae244ac

SHA512
48b9b4f575450e1608f053592a29cc354a674f00197dded4cb366cc1fe63734bf53719f9df260f6de19fc70a67a900862c45685e9b6980614e35e7caa6f2b59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwoe.exe

Filesize
202KB

MD5
b54d13c40df35ce18317836e10d8ed4f

SHA1
28f41a35b7db2e744093f45247b6cd12f69bbbeb

SHA256
50736207db396e1e5cdd46e437ca22fc472be81ec81b8a2c60f1a4c99028611c

SHA512
3669b32bd48dbd57b8e687008cbe0afed2956401f37dbd6a878169ca068581a5398847deb271b1bf75dc7ce0e345bc4900f893bced04433540784982de5c174e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAYW.exe

Filesize
209KB

MD5
d1aa724d6ecb615dcf4eb7eba32e99f7

SHA1
a3975f4c87917bd3e0cfcabd4463e05c0a33df15

SHA256
8f712ece0447e39e334e9b2dcfe40668ae31a4e182b4fc4ac33969e28bccc8e5

SHA512
bba5a5b9c99da7f3cc02d08de36a7d4104c2cc199634f2872500eb4b61190314369d7efb37d1a26ce7cbdcf2a2bd414600b09789b7bd9d881ef9b2cf425ea4a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEYA.exe

Filesize
208KB

MD5
6f9ee06647cc9c3fb2e76900a4eda372

SHA1
49fd568b0155d503704d81b48ef3cab9c58ffa4f

SHA256
18ba94ed986b17cedb4549bfdfd82ea1204c99086483ed76bbb41db6c5916b38

SHA512
60752b2782a511abf3cac8cc8407f120e1830db2074f4ec4bf7d3562d568881ecbf7e275ad8093b4fa6b96790cce8903d68fd0d4daa3cdc6ddec4d19454ff103

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIsY.exe

Filesize
196KB

MD5
eefd8853d01219ff50d2b966510ba9e3

SHA1
34d9abeed7db16925bb5fbe576822be3580aab3b

SHA256
ad43dc99ca4bd3917c2104a34e2de94d48209f60d1c7d40ddb56be1534f2c334

SHA512
dd62805b2ccb71915d39dc7c9cb692b84fe6ff6617f182ce7ad7ab927dcd3ea08cf3c790b8d3761b13ba274bc5decc82fa02ac553fbd85df18a0053ae74890f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIwE.exe

Filesize
622KB

MD5
14ae793b2cb4fb00d34e01a78b1d34ad

SHA1
d9946502e9bb5750eb3dd5db27a3b5822a2f223a

SHA256
8c0964a856e143b5ac11e8db3d9dfcb364444cec5772bcdf833b1fbc631fcfb5

SHA512
fbb595520742ef086c004097b49aa83ee9beab3e98a5ab5654eb2a99c5df5785ffbf222458dc63def9b896a29eb55ab1120e6a65f24c1277b2fecc1c48a32341

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMwC.exe

Filesize
192KB

MD5
44463ad883c3a4521d0b9a45b195418a

SHA1
3cafafe558bb128de3b2ac8e809b6a3313e1b887

SHA256
263d492b0fddc0c58aaa733dbc154062a3e682f09bf1c1b98bfc8120bc3177cd

SHA512
8b318292104e591bd757a41026d7a40cc28e7f3b32e3e209c3f146d9cf8fdb6b210f64b7b7f9f0e635fb23ed7f1c8c910bf59c04c7a8687c649d9b7e96a1792d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUwo.exe

Filesize
1.0MB

MD5
3973285442c416a1040a3d70b40cfc60

SHA1
8518d19cfd51c29e14661473ebad7295eaf2d55b

SHA256
44c46cdbe0aaf39b9c082374cbe1d576813fba9cef87e88064de61493e2253fc

SHA512
3c6a0cdc17b45ad43ff10b27281bee2b8bc665a6c623df5fa05b3f805c61328fcb5448cb734e6f2aef8df4a01f042ada993fcb6e0bf42019a296a6e190101d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgQy.exe

Filesize
202KB

MD5
ba44d55872ac7f1ef048d3ac25298949

SHA1
14a6ba5b6a342490f76a9e0aea10998c11cdf94f

SHA256
de04e878a94aa3d15529065b08746d34888315761b673f5ede3e86fea4211732

SHA512
872fe63014bd8a0f259bc3c5e11529cdee9ad187fdf826f40cbb1ab5452e8da70a7e73ec026dbc30dad9844bec12d9e17ce5a674867480a9dc0e84b316879b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\qogU.exe

Filesize
242KB

MD5
7c12e0301725334e4e7490937a24464a

SHA1
577765f0728c62ac2d701c8beb7bd5942b128f19

SHA256
c31217e2a4a375fcf5ce6375946948c29d793f259c5c7a501c3b7834fb5c6c18

SHA512
54d86fb95291f6f2dcd3f1ca846e678cf8e7959a6994ece487fb58c700a55757004245f014c1367592f117d987b8bd5daa7fff300fc01bc5e32aa4e5f5acab36

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUcg.exe

Filesize
683KB

MD5
44308495525d12a5e7159e6ca7069999

SHA1
707e93c8abfa85193572e81a7a41cb71c401cba0

SHA256
a18a867ba86cfe7b995494d54558fb08bef4e0803e01927f4f61d329acc98070

SHA512
394695afb7d58aaeff7d8e610c20d16bc0f7253f82901590eae8ca208f11a6a226292249bb0057ebf935d6378a3a2715f90ed99b9c4b22fc241de85728fbfa66

Download Submit
C:\Users\Admin\AppData\Local\Temp\swMS.exe

Filesize
664KB

MD5
260dc8529e5bfe458bc16c61a1f3a88c

SHA1
d0b4288c15e82aa248def409af28e7d7906a4b8a

SHA256
72459705ab5c2dd2696f03b10433c94509c4e514097f814ced14e0b0ab52c67c

SHA512
bb404a43b2a849b405dc0d7324af7e6cf50a76cfaac43df4ec8b21b6f0b30cc6ffa339035e3f08a4f45adeb25880700ff73e4720ebe332dda5d7ba8bdcb2e2bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIEy.exe

Filesize
186KB

MD5
b80555e9217afccbb71ffaa38ab2ca94

SHA1
ebf7341b780ec5e7d7d1a32ac23e6e6f7d21fa86

SHA256
b847e92bdad52cd9a86ac1265a23e7da772a20d779be8e54cef0caae0d84b85f

SHA512
7e9d9abe9278e6ad6683c8b374677203d2f2ba346fd9f0c22286caaaf063b842fdc51e66caef84a20634c05db13647153ef8606b75a60eab79a7c36acae5ace1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMEU.exe

Filesize
341KB

MD5
be4bd5877748e872419622e55f1a6406

SHA1
20674bd5e584bab0ad8efe7e1d9263f8b1739008

SHA256
4fb58a4585ae81b06b32dd9a17b986ae7039b8cbf7f26d396be2e181eb000e06

SHA512
0e9f9306d3c03794777d52c589a66ed5b91f5d5641d20089b47bb4bbf34c3578dd8be198696769956a3a65a6475475e9e515c094680b4a1fb67cc4f30d0eca08

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoEm.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIsE.exe

Filesize
192KB

MD5
f63b01959fb7041771a979dd3663277c

SHA1
7c978545144a2a29e9a09192cc2dbc930a4a429e

SHA256
34b1946521f1c25ab027165ff366b22419490a36ab91d416146fd8a6d81f325f

SHA512
b79063e848eeefe73dbe52d40cca0cf21e47af3fab7337b9c76dcc7d2d13512506476aa1d5bcdde5f766e5d8ac1b3dcdf1af3914a72621d3510a631a8ea13fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQMO.exe

Filesize
194KB

MD5
a90d01e53394b6f1bad8b7ae8570b7ba

SHA1
aaaaf18fa477a5cb8b0a7feb1b601fe1bc1f5c64

SHA256
4700e0971f851b5b5e110e4f311b7859587d76698c2c19f1735632b07649c98d

SHA512
6cc8fca1c45dfb20b4e8a69f844e3b5c93a7d83f9693767652bb835f7b714e6123f9f7be25e9bf76b0dd2b962b394affdf9332fd13bb0e99be6e1e28356d3c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcwi.exe

Filesize
5.9MB

MD5
3d062bb45795152b390363b8bd79e527

SHA1
bbab728fa5a9d415b58b775fc2c4536a9ebc2c0d

SHA256
e1f600f98c9d25aad5644f0c7f3cf63830d85f55fe1fd1643b07bfa0a759c6a7

SHA512
1bfd3eabb196c178d58d5bb7719eb61a514006b3707dcdeff74d5b80b3852408b2c7cd17557b5884ebc6a5c05c446f6a58adbfd36dd9d8001e177edb902b5703

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEQo.exe

Filesize
191KB

MD5
9151684b94e2e6b782819b05a63635c2

SHA1
e654ba49d9c04a1f46459930f7ca018e6e3ae18f

SHA256
d371264e88034584febbe24daf3e09ad8965df550d33a8e9fb09ab8537ff43e8

SHA512
30203529309f3c4b28f57cd4afc9a87e40eb6f8ed562f41bff3557df180a3931a1d016320f84a56df05c896ba21bfbeabe2ddd6efcd49967608e637afd71c53d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIkC.exe

Filesize
798KB

MD5
f9d1cde3382a6091637f4fc0f24dd7e1

SHA1
909268d2e70d71f60edf1842b610fe5f515cd85c

SHA256
b66021c2e74d94da819265da6bd0afa74f4d9f722527c2948f38327f974a8b65

SHA512
d1a790fd86ad357f22469e930a78187825378f84f72234cd7ba655b77310572f5462166b0ec9241cb2ee75dc981d6d357f53b7dadefea23a12fed799d76df06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIkg.exe

Filesize
187KB

MD5
e99e5c71897403b9995e8029a4b2ed57

SHA1
56b5dad1de56798d018ca1a99cea9ae48894cd1e

SHA256
4c55eac4616758f31322c6bee3d7a9e759aa3623a7258eeb57bf92382d6fb956

SHA512
366e792a74835f809d2e27825e61b8e56cbb2781475b62085b627a739881236498006fe432268b0a18cc225ebc2c1dfffa2fe5ecb4820fa8e661d29d831c3b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywEy.exe

Filesize
199KB

MD5
e5026913748d5c44a564c523be914202

SHA1
8cc953dcad69c585ce6652e3aeff4ada2943aa37

SHA256
2f5fd4c0f5a3120eb01588ca5660efb1fbfa0a30b45738755af63bae5efe5090

SHA512
1c8b5b0257d97447be7d4fa0daf208116f1c2c0f5079cc1739c7ce8949f63b9d537a2ed05f728c3598e69aee4b40a69f9ffe52d35a075f1fa6c2806908739a27

Download Submit
C:\Users\Admin\Downloads\UnpublishOpen.mp3.exe

Filesize
817KB

MD5
ce3e53bd30d72d558bfade9a428d5355

SHA1
6904ef4eaa78787e5b64dd4a2b8668de606cefa5

SHA256
d9ce90ba446cb0ed851ee3d49ec07d799150c38a37c00e7853483ea04713da1e

SHA512
c2d92e3a729f994c0135eefc273ecd3a9ca54c2c7fc1d6203af00e6a9417eee72b7d323008be4ffede5722bb9b7df9d60fbab91f80e99979e5ee450290d3adf4

Download Submit
C:\Users\Admin\bWYcMsAc\nEYEYAwQ.exe

Filesize
190KB

MD5
83aa18e95189c622d664f4537c6c3324

SHA1
a818e1501c2039b6befc78e1ef0ed0882b2cb4b9

SHA256
83a2c38fa4e1c2516e71b3d329be29f4eaec369ec0fb0d684229380c95f36f3d

SHA512
bebe0fe5035da121ee56b966efa3f9beea211a6b1b8710c46ead3c105d83fd303cee7b18656cb9076ff0859485bb1acf51f82202b49d74c4e0c45749d2cf0706

Download Submit
C:\Users\Admin\bWYcMsAc\nEYEYAwQ.inf

Filesize
4B

MD5
ec65c8f6b658aad9a8f527d177e0e69e

SHA1
a408e10ada7c40638a0432a89cae9b58c6883111

SHA256
b9fa142732cefdf19c088a5a761433c6c77962f734e081a25bb2758031a6c365

SHA512
fe14eb934f42d3d6100d1cb90faffcda576d531976cdfdbeef098d9d371b51c32af822f34186b7a9f12d8d7937bd33fbb9c7cde960a19d0d553b74a6df19e6f7

Download Submit
memory/8-272-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/544-554-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/956-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/956-254-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/984-527-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1072-492-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1128-570-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1204-147-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1248-483-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1252-362-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1316-292-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1316-300-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1328-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1344-447-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1344-439-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1456-422-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1472-597-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1472-589-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1596-458-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1596-466-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1676-289-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1688-387-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1700-217-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1748-159-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1756-616-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1764-694-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1868-457-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1940-686-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1976-544-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2656-678-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2660-720-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2796-501-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2796-493-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2900-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2916-335-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2996-100-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3308-112-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3352-669-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3424-32-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3516-880-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3596-438-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3672-124-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3724-519-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3744-625-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3744-617-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3796-182-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3900-562-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3900-550-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4000-327-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4000-318-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4004-317-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4016-218-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4016-231-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4024-308-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4032-206-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4056-792-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4100-701-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4100-742-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4240-509-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4288-598-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4288-607-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4308-430-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4332-65-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4336-535-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4364-396-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4376-652-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4392-378-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4440-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4440-19-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4448-474-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4492-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4576-43-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4580-54-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4584-793-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4584-848-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4660-89-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4688-160-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4688-171-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4748-253-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4772-7-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4788-580-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4820-195-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4888-336-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4888-344-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4916-404-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4940-412-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4960-643-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4988-634-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4988-588-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4996-354-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5016-244-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5060-648-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5060-660-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5060-281-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5060-273-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5092-78-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download