dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 08:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
Size

113KB
MD5

1c1273edc36515ff69e34cba84421e84
SHA1

00403d7201fb0f975a81f174b460053007597fd9
SHA256

dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
SHA512

035d4424bf53899ad6c28b1dbee39cb4769c51b2f5977e693de852d80cba55afbb176680226b8783c2d60109a929da3af9fe8c25cbd10fedeaec24b4fa05466b
SSDEEP

3072:3RK9oIJ2JJ3/FmGmqddftdQrgoG840T60Bk6ezYZP50ENMYX+ODqHzMkfbeYuSTX:3o/JKJsGNftdQrgoG840T60Bk6ezYZPs

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (78) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	PksocsIE.exe

Executes dropped EXE 2 IoCs

pid	Process
2864	FywMEUQQ.exe
4928	PksocsIE.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PksocsIE.exe = "C:\\ProgramData\\eUokUQoE\\PksocsIE.exe"	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PksocsIE.exe = "C:\\ProgramData\\eUokUQoE\\PksocsIE.exe"	PksocsIE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FywMEUQQ.exe = "C:\\Users\\Admin\\LIcAoAAc\\FywMEUQQ.exe"	FywMEUQQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FywMEUQQ.exe = "C:\\Users\\Admin\\LIcAoAAc\\FywMEUQQ.exe"	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4188	reg.exe
976	reg.exe
3024	reg.exe
3976	reg.exe
1724	reg.exe
4056	reg.exe
436	reg.exe
2508	reg.exe
868	reg.exe
3976	reg.exe
2540	reg.exe
2120	reg.exe
4232	reg.exe
2492	reg.exe
556	reg.exe
4808	reg.exe
3496	reg.exe
2760	reg.exe
2608	reg.exe
3964	reg.exe
2472	reg.exe
4400	reg.exe
920	reg.exe
1264	reg.exe
2800	reg.exe
4736	reg.exe
3980	reg.exe
5036	reg.exe
4932	reg.exe
628	reg.exe
2456	reg.exe
1220	reg.exe
1996	reg.exe
4476	reg.exe
1724	reg.exe
2464	reg.exe
4972	reg.exe
2372	reg.exe
2512	reg.exe
1008	reg.exe
3336	reg.exe
3864	reg.exe
2924	reg.exe
4196	reg.exe
3012	reg.exe
2668	reg.exe
4244	reg.exe
5036	reg.exe
3980	reg.exe
4832	reg.exe
1708	reg.exe
1692	reg.exe
3684	reg.exe
1688	reg.exe
1684	reg.exe
2376	reg.exe
2224	reg.exe
3668	reg.exe
5060	reg.exe
4020	reg.exe
1200	reg.exe
2188	reg.exe
3996	reg.exe
4480	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
2604	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
2604	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
2604	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
2604	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
1964	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
1964	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
1964	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
1964	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
1264	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
1264	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
1264	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
1264	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
3944	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
3944	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
3944	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
3944	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
4396	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
4396	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
4396	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
4396	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
4648	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
4648	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
4648	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
4648	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
1224	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
1224	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
1224	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
1224	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
2372	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
2372	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
2372	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
2372	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
1008	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
1008	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
1008	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
1008	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
836	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
836	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
836	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
836	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
4816	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
4816	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
4816	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
4816	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
5116	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
5116	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
5116	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
5116	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
4664	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
4664	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
4664	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
4664	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
4188	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
4188	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
4188	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
4188	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
2232	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
2232	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
2232	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
2232	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4928	PksocsIE.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe
4928	PksocsIE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 2864	4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	82
PID 4476 wrote to memory of 2864	4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	82
PID 4476 wrote to memory of 2864	4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	82
PID 4476 wrote to memory of 4928	4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	83
PID 4476 wrote to memory of 4928	4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	83
PID 4476 wrote to memory of 4928	4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	83
PID 4476 wrote to memory of 4108	4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	84
PID 4476 wrote to memory of 4108	4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	84
PID 4476 wrote to memory of 4108	4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	84
PID 4476 wrote to memory of 3904	4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	86
PID 4476 wrote to memory of 3904	4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	86
PID 4476 wrote to memory of 3904	4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	86
PID 4476 wrote to memory of 3688	4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	87
PID 4476 wrote to memory of 3688	4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	87
PID 4476 wrote to memory of 3688	4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	87
PID 4476 wrote to memory of 4908	4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	88
PID 4476 wrote to memory of 4908	4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	88
PID 4476 wrote to memory of 4908	4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	88
PID 4476 wrote to memory of 988	4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	89
PID 4476 wrote to memory of 988	4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	89
PID 4476 wrote to memory of 988	4476	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	89
PID 4108 wrote to memory of 2604	4108	cmd.exe	94
PID 4108 wrote to memory of 2604	4108	cmd.exe	94
PID 4108 wrote to memory of 2604	4108	cmd.exe	94
PID 988 wrote to memory of 4924	988	cmd.exe	95
PID 988 wrote to memory of 4924	988	cmd.exe	95
PID 988 wrote to memory of 4924	988	cmd.exe	95
PID 2604 wrote to memory of 4968	2604	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	96
PID 2604 wrote to memory of 4968	2604	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	96
PID 2604 wrote to memory of 4968	2604	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	96
PID 4968 wrote to memory of 1964	4968	cmd.exe	98
PID 4968 wrote to memory of 1964	4968	cmd.exe	98
PID 4968 wrote to memory of 1964	4968	cmd.exe	98
PID 2604 wrote to memory of 3952	2604	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	99
PID 2604 wrote to memory of 3952	2604	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	99
PID 2604 wrote to memory of 3952	2604	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	99
PID 2604 wrote to memory of 3200	2604	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	100
PID 2604 wrote to memory of 3200	2604	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	100
PID 2604 wrote to memory of 3200	2604	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	100
PID 2604 wrote to memory of 2348	2604	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	101
PID 2604 wrote to memory of 2348	2604	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	101
PID 2604 wrote to memory of 2348	2604	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	101
PID 2604 wrote to memory of 2076	2604	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	102
PID 2604 wrote to memory of 2076	2604	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	102
PID 2604 wrote to memory of 2076	2604	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	102
PID 2076 wrote to memory of 3308	2076	cmd.exe	107
PID 2076 wrote to memory of 3308	2076	cmd.exe	107
PID 2076 wrote to memory of 3308	2076	cmd.exe	107
PID 1964 wrote to memory of 1164	1964	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	108
PID 1964 wrote to memory of 1164	1964	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	108
PID 1964 wrote to memory of 1164	1964	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	108
PID 1164 wrote to memory of 1264	1164	cmd.exe	110
PID 1164 wrote to memory of 1264	1164	cmd.exe	110
PID 1164 wrote to memory of 1264	1164	cmd.exe	110
PID 1964 wrote to memory of 4024	1964	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	111
PID 1964 wrote to memory of 4024	1964	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	111
PID 1964 wrote to memory of 4024	1964	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	111
PID 1964 wrote to memory of 436	1964	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	112
PID 1964 wrote to memory of 436	1964	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	112
PID 1964 wrote to memory of 436	1964	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	112
PID 1964 wrote to memory of 1888	1964	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	113
PID 1964 wrote to memory of 1888	1964	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	113
PID 1964 wrote to memory of 1888	1964	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	113
PID 1964 wrote to memory of 4552	1964	dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe	114

C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
"C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Users\Admin\LIcAoAAc\FywMEUQQ.exe
  "C:\Users\Admin\LIcAoAAc\FywMEUQQ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2864
- C:\ProgramData\eUokUQoE\PksocsIE.exe
  "C:\ProgramData\eUokUQoE\PksocsIE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
    C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4968
    - - C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        8⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        10⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        12⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        14⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        16⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        18⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        20⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        22⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        24⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        26⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        28⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        30⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        32⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        34⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        35⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        36⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        37⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        38⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        39⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        40⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        41⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        42⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        43⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        44⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        45⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        46⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        47⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        48⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        49⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        50⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        51⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        52⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        53⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        55⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        56⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        57⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        58⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        59⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        60⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        61⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        62⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        64⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        65⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        66⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        67⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        69⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        70⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        71⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        72⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        73⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        74⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        75⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        76⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        77⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        78⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        79⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        80⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        81⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        82⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        83⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        84⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        85⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        86⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        87⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        88⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        89⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        90⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        91⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        92⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        93⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        94⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        95⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        96⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        98⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        99⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        101⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        102⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        103⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        104⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        105⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        106⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        107⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        108⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        110⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        111⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        113⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        114⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        115⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        116⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        117⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        118⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        119⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        120⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        121⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        122⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        123⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        124⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        125⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        126⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        127⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        128⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        129⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        130⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        131⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        132⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        133⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        135⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        136⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        137⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        138⤵
        
        PID:2728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        139⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        140⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        141⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        142⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        143⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        144⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        145⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        146⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        147⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        148⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        149⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        151⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        152⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        153⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        154⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        155⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        156⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        157⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        158⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        159⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        160⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        161⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        162⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        163⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        164⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        165⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        166⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        167⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        168⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        169⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        170⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        171⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        172⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        173⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        174⤵
        
        PID:4860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        175⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        176⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        177⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        178⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        179⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        180⤵
        
        PID:2236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        182⤵
        
        PID:1876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        183⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        185⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        186⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        187⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        188⤵
        
        PID:4576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        189⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        190⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        191⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079"
        192⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe
        
        C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079
        193⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:3336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        Modifies registry key
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:2188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oKwwQAIw.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        192⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:4648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KucsUwoc.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        190⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zegoEIkI.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        188⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:5032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zesUUQoE.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        186⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:4008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsgYwckQ.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        184⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCQAMsII.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        182⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:3448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:2740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cuIEowIw.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        180⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAsMoYMw.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        178⤵
        
        PID:1920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies registry key
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        Modifies registry key
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:2456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGUggosc.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        176⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies registry key
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:5012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uIwMsIEI.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        174⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:4488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOAAAcgk.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        172⤵
        
        PID:3744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:4416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKcEsoMQ.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        170⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LooEwAkY.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        168⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:1696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwwwgckI.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        166⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uMoMUkck.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        164⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:2472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kiEQYwok.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        162⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQUAMwYY.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        160⤵
        
        PID:616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:3976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twcQgMok.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        158⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUYQMQQs.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        156⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:2928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:3912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKAQgIIA.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        154⤵
        
        PID:4900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        Modifies registry key
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEEQsUos.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        152⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        Modifies registry key
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMcEUMIE.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        150⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies registry key
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:4400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asgUoMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        148⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:3012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKggggkA.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        146⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuccwIkg.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        144⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:2472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:3684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCsYoQwE.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYIYYAoA.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        140⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lsAUQocU.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        138⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        Modifies registry key
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iuIswMIs.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCIwIYwM.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        134⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAIIkUYQ.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        132⤵
        
        PID:1664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:4544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKsgIkQk.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkwIAsMc.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        128⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAQkwMwA.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bocAUYkw.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        124⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcIEUEQc.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCIEUIEE.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        120⤵
        
        PID:1812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        Modifies registry key
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiwQUUAc.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        118⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecoocUQE.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        116⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies registry key
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWcsoEQU.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        114⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        Modifies registry key
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUUssMAM.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        112⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\toYswoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        Modifies registry key
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uaoAcwII.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        108⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAIkYAQE.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        106⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        Modifies registry key
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAEAEMcw.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        104⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYAEEAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        102⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYMoUUcY.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        100⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zesooMco.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies registry key
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOYgcAQc.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        96⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jqYYMwgg.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        94⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YaMwMsUU.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        92⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGcEoocU.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        90⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIIYssgs.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        88⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUkoEUoQ.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        86⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZuYIAsEo.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        84⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dukMYYsM.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        82⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\likogYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        80⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqUoYMEg.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        78⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        Modifies registry key
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCkkMQgs.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        76⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwcMIAEo.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        74⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\waoMgsUQ.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        72⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIUYMEIc.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        70⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuYMcQwE.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        68⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZWgwgAkY.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        66⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LokcsEYY.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        64⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiEoMgco.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        62⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYoQMgUo.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        60⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKkAsgMo.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        58⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOYcwIUA.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        56⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        Modifies registry key
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\liMcoAMU.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        54⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCscwYAU.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        52⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkIAMAEY.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        50⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\moAUIwAI.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        48⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies registry key
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMIgkIAk.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        46⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MowYQkAY.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        44⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tEMEUYsE.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        42⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HcsMAgwE.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        40⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUMcEscc.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        38⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYIMwYQk.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        36⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uowgwcoI.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        34⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YuEgUkAw.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        32⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AegYMsEA.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAYAwMoE.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        28⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HcEkAgYA.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        26⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        Modifies registry key
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgwYMIMY.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        24⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\viYAgUso.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        22⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies registry key
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aCAYMIsI.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        20⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQIwgcMo.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        18⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsUoQcEE.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        16⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies registry key
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIskoggc.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        14⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIkEgoow.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        12⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DuwckAoA.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        10⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAgYcogI.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        8⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3992
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4024
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:436
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1888
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gaggUAsM.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
        6⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3124
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3952
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3200
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwMIYEMo.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2076
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3308
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3904
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3688
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gSEwkMUI.bat" "C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
557KB

MD5
506c5b475bb7da1f73e3305ebe95719d

SHA1
5d079d8a2e09d64ba393428be87ffd9b30a90f0a

SHA256
3771fcc9d13f8879d0a57acbc09dd5316db6b2ec087c89c863c5350abed0704c

SHA512
6facc918d840490abd01d60b7151a1f721ddc55503c60a8638b57c9e97b04fdffb6023f729194be6180094782ea01fb232ee352f8ec542c45459d7dc4015bb44

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
565KB

MD5
cdff6692334f4fb11facb8e6e2427e0a

SHA1
7e0993cb335e0e241dae6c256c3ba8dd09542110

SHA256
292e7403eb18ae25e70ac7583a59c033305d3bd8db385d6ccb1e5c0228bd1781

SHA512
ed608a92037f73b48a1c5f5b69a7726e551c333bbade0262cfe07be641991471e25586f2cc568d17c4fc3d2214b878d4069fa0d2fad7b2dfbfaff50f702eb119

Download Submit
C:\ProgramData\eUokUQoE\PksocsIE.exe

Filesize
110KB

MD5
47b170f8f883ad6995393331149b4020

SHA1
08a699216940921e8f79cd17fab13c5942642a07

SHA256
5cc9f10ee4614f268191ea4e071e2d048e4368e5fd1f59f8b6f66a16f521d069

SHA512
b5489fa00bebb306288482de8b3a3fbe8828d9425493fd94b5c4bee5232be2026ab3f0214a0d6318286e9fa373734c593140503504046ef353a021e8144c6355

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

Filesize
118KB

MD5
9e8fc5d85602fd4e3ce1cb085272d3a8

SHA1
cd12901594d24d5ec43152666418272a838f4ff7

SHA256
1177acad5c463c3ad744964170e865e8e6548b07ead57657488bc4ffb2a2af7e

SHA512
e3ce79b7331761d09a4e9d801ce15b88aa1cb26c5172963fa9875619435990b164559650586f379076efbfb069c833d06034737a7c009c59eaa0d6ac968dcf19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png.exe

Filesize
110KB

MD5
334669c0d00bbc269acb67ba5fc43266

SHA1
ef84dc1bb11bb23340f5fd5f9115fbe5d6a17f73

SHA256
f55b1caa398b10bad099e46e72b0d2ab9d012936ede9d1c5fecd47391a0c56e0

SHA512
3822dd9faa785aa395901893b1b379a81d43272242c3b9e8af2ba0822604036735d683d881b3d6b3d32a507a36d1ab341d0428f12bfc29cfc141ad6976a234fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png.exe

Filesize
111KB

MD5
2108f6a5198b9bec6f6821c04bf46239

SHA1
59c06fee041cf5e79c685e34376799b08179ea04

SHA256
431a3d8eeec985969d0ddac9473c1187cd1b6ff959245a6d8222a2976624036b

SHA512
6aa1f8f654b4a17d621a693cda2c93ae44470f1439812236d7536d0efe09445172e4faec2de6ae780b4a23e4fc2f7c0e227abf2d7de52f5019a1566e80536555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png.exe

Filesize
112KB

MD5
77f148a7dfcaae3f305584c42309e451

SHA1
325b671b06a57fbc867a806ba53243a077c25203

SHA256
a840ae276e66cec6a66408d621c9bcacedff4aa6e80a80c4e399dcc805af21cf

SHA512
86605be9dde8ce98f1a659b0a9ef6c39773e5f147e90b52f776c92ab2b3051c47d6fd1a4c1d1e1eef0dfefec10e7e5e5ef0fb7471a5b60bd89e9691fd5cea47e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png.exe

Filesize
111KB

MD5
1c0fb0625e37b4f302a97187628d73d2

SHA1
c396636f32d191368fea5592da6d96c3cb1f7baa

SHA256
52dd12adf643aee8ca3061427aed6dd053c7c2551bf36f6555b5ea26be0b51ee

SHA512
83553571677c768d814794514d9f43f61abf82107fa52684b0a70520dce2a1420c8c0332ccb2e8a0a49b7883593b09104d9fc8c1a32a9f854df9a8b724c0bef0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.exe

Filesize
112KB

MD5
832b93adb0deda63dcdf93cd858c4351

SHA1
cbea22763a0a30c08bfd51d63e7060535cfbb6aa

SHA256
1dc63230e9fdd192509e5253f9c7cf0cc50635078f4d571ed516a2e96b05fd18

SHA512
5c70b135b8aaea7479554d7405200f6db90398b815e7469bd39a97f2159f50d4d88f97555ce87d7eab630cf40aec743aa3865a073b2fc67c35de4765821cd120

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYYU.exe

Filesize
117KB

MD5
5251be6168e1370396c63be1adfd08cd

SHA1
fb9deff25e77ec07e2b9938607559c5ad9335d48

SHA256
468981044c135f73b366efec0c5b22a8ff7b39287040296fe592beaeaf4006e5

SHA512
b9b40cd7ece8db3176e917487248eabc1cb98216f13ab750a452bda4eca8e76e65845d9094342615ca5fc92f58aa771069dcdb7ead57de428a5d65fb6eb2dd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEQC.exe

Filesize
149KB

MD5
1b4999509ee2c1180aee6b0981027cb0

SHA1
4a7d1ae4f7391683f9179e0494345e19b420b648

SHA256
b0a2b700afe2cfd3869da3ed5522eceaf9e0e58858b08a5226a74233f8a6ea36

SHA512
aa49905f24d3ed56c8bf7d713ffffa98c6d3305734a41d3e8d3333bcb4606f43de5862c4d97f54a4ada8cad085117602d24bd04937e65a393d4c3e9606b0a631

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEUS.exe

Filesize
237KB

MD5
d17d1c0a86b0928ef53793bedc935017

SHA1
4bf045995eb0ebdf3c7bc149d7b43e46b11bfda2

SHA256
8cfe1d646f4a5cfc3f7d581afd37af2f620c800d1a070eba907225949cd50324

SHA512
8ef7eabcf71984716de2e94aa82a5dbb8e0a3341c3aa8af0fe47b7deac7b513a3de2d33eef961d3fea923d8b488469310c4710ddc7a49d967f5c0f3c826ddee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYYo.exe

Filesize
871KB

MD5
0edcf2192cbfa1d293f3bf0686f8e08f

SHA1
0fa6ce86ed1eafc32f4b65710a11fb27628271e5

SHA256
2f37c8be540e626b1be2a0356950c58fbb4b87654388d016791da8072f1eb25f

SHA512
84bee12e6692cf759f2e2967fa9f0e85d1286763b4734d783539567ce89f8aba1d0910b38814cf7a6df2cd12f687a2c35adc08241451c1f5a058535d67c2959a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkgG.exe

Filesize
140KB

MD5
a5f666b710025ca4c56c83e2c634a314

SHA1
9e5ea7b633670816d408bd5bb04ec46f7b608286

SHA256
855b97161e40fceda852e390930f6ab0c586c930fe081b8005014314ce803d0b

SHA512
1886fc446f19c61617f6ebecd40d0ddf920e3ed4217011dfd31a8f80ea48a550065f622d05cdea4aacca219a7af3c23a020b3d4582e33a4b868b2a1dd98ade77

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAss.exe

Filesize
238KB

MD5
5c460e60affcf5d1f642ca2bc896472c

SHA1
28c8ac698704c9c79d613f99203a3eb61783cc7f

SHA256
87c67b337ef567a1236a33a4d47d204e0d657c8ec3f79a849cb4220407d2b3d4

SHA512
4f9e1e11941d0e41a0f66c24f057b385f609749ef969e51737d2eeb7ab820d2aabc0d3aef7f3b734252d4ee3d01622120aa7324b6d93fcd12acb36aa36a03365

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMUg.exe

Filesize
111KB

MD5
a9f1c2ebe06851ff9c8d2294851e7a9a

SHA1
a2e208552436b937a9a98654e9d70fe2a1d51036

SHA256
46264d1d1ffee4cdf46ec9980014c8aa68b129920f35b335c407330417712949

SHA512
210fcd351831641b03b9ae723a8b4a81ca97d91cb8504980282fc7a6b5dd79f48cd6a1a3506189f93dfbbf5e761e91484f7206fe836d197cc7fa1ae4d7744b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYgS.exe

Filesize
119KB

MD5
5a592f395da9cde252cfbcbc4c62b7a0

SHA1
7dd9049517dc0518a9d714fbf4b8b9eb83910763

SHA256
37a388ad3012a2bc56e7521287d1f22d202980c8325117f2261a0380f2bdd182

SHA512
c4654a4951e03444bb1c5deb3594b18fdc72bf9545890b15620b9c68e203681ef56d0ecf147e904223d2b1cc1cce0b34fd932337b9ac4210e980ca27e0751630

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcAC.exe

Filesize
195KB

MD5
20a6ddde24bd085caa3028c49cbec108

SHA1
7bf88f40b3ff56d5718833ab988191194fc44cd3

SHA256
b95472e81031ec38ee187326b52dc1db09620aa4dea277a069009ebedcb34e0b

SHA512
afaf18ca14e42adb6f44ef481ad7a732fafe130c135138126916b6c1b03531054beea922c4349d45db23f1c4b89adbce2ceecf49738ad65403cd2d7a2b7e6725

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkQC.exe

Filesize
235KB

MD5
d7ee077ec774afc615fdbdca545f6b75

SHA1
ce4a04d28cac8b23235bc4ce0376a225e8329b5e

SHA256
611f52b7ade3e008edd79ab3defe7afeba7838434cc727656d266db1ab9c8695

SHA512
042e0a0628fd41aa095c3faf9419a21edf8fe301f5815ba0b3f468e05e08ffb738918af335929d06633ff91fc21e6f87442d352fc8b59093b33664854a8d5cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ekge.exe

Filesize
485KB

MD5
f2fe66ab0d901dae65e2566701e0e07e

SHA1
830b77a487d65060785f5fc402050fa95ff7e50c

SHA256
5850140764f56c8afe08b45de1baa9d8326ae1bb63beabd9009a588fd1697d85

SHA512
d721d09249c54edba0607bfea0d5e538cec2fc67bffde74b4a9cc3b53d3cd5ab29ca8d01ae8d0472071df41ed0b51095289cd76c1827edf0c47bbb5440831c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoAQ.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsMM.exe

Filesize
110KB

MD5
9b90dcba1e5c2c69562d00d43801b7c4

SHA1
d8562df8d831c6f34b1405e746ee91eaea8abbf8

SHA256
420e8d796737c26c05873c4bff43c7ae35f2615912277b486e8bcd2e90a2c124

SHA512
8b40f7e405a8439884567918cc1580376b63bb69d78e4cd9d504a8e896fc1e7d339efca955e265fe4c1d648edaba2ea3a062243d2e264056e9e7e14172784412

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMck.exe

Filesize
110KB

MD5
4bb3d53503702809f44c86a108ab7403

SHA1
190f6fe2417159af1a81666ddfcb311e14d891fe

SHA256
943891efb3309b1431416c73a1966ffee030aeb24d296ebd33b02e22d9014ff8

SHA512
588e52bd308088b10b5c7e3a9887d9ca1c06182dcf98ed6cf9d0197595e7447a561d4ce57cff81e59dd077f8c556f31626b3d1ea0762f13f15edaa863d55fa3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYgq.exe

Filesize
112KB

MD5
d60b562c5266d7181d0b22d42856829c

SHA1
81fda190f4b5392597df44f245a146337a83cd7a

SHA256
820376295ac974194fdd983f35ea91bafaabd7a6078e38ce462683bf9e7b4acd

SHA512
44ce09cd1b75f544ebcc837c108aed99c00ca43afd71b64b4f79d5dadead1c177ee652ecceaf5387bd89ab8e4a648ea59866a590477f0b2c86bc02607d4e7ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgcC.exe

Filesize
139KB

MD5
b57c365338587bb6e2471934d225dd24

SHA1
f63c7f33ef2e61fd2b9b44c0fb84826622faa26b

SHA256
b02eacbf5af3f2d9fa3e3f4a5dc9146e3b8e4dbf1d830bbfe400ff7bd53aba5a

SHA512
44714b11cd653f42ea21f598fd57988566d1628be159517995d47c3a95283896ca8382e5d6a0c0f747b22f359463c39d1f1fbee80b0410aed582b1bb6c07cc6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsME.exe

Filesize
111KB

MD5
b5edb03efef426b2a9179388d38b4ee9

SHA1
b46288f33f5ac7c97215271511c940dcd3ead677

SHA256
e77539b73af9e4bbfe5c885c38cc2884f4f2ca534d8f0cf71728872d772b063b

SHA512
41015bd9aad977c8ba9fcf81121ee02de8156070c4c12629cb89af25c41ca6f25ba64fe09606af3defbed1c7936987e933a7419b6afa03bf4af599fd1b502b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwsM.exe

Filesize
310KB

MD5
7b67ebf6d1b54de2c6ada454fa2fff4f

SHA1
cb23d9770ad07faf5c37cde25eb1eb42444d4abf

SHA256
d9ae3d702a0f202224bf72d419e3f69ac5018eaef16d8b716254c0c001b67f66

SHA512
d01f3b32c85047a745a0a106c49b655705410899f5d5c0f5ac1a95d5982161bfe3ef3dd536ba1b595e45f097bb02193166164dbe0b1b1cc6b95b8df3d8b9cb27

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAoy.exe

Filesize
111KB

MD5
9c5a48938a81d9501168207572634b25

SHA1
408a41a1c2ceb40391e98bc5f033088ec703f6ea

SHA256
97b6c6f57e85d853d32b14694758ba5cf406a72d00c5fef1d2120037dffd3068

SHA512
474ae0e16eaacbb576ec8a38b9f903ba8eae6aa01f38bc4d18b45ead8fe672dd7111a7342126c92de4c63b0040196d4f314c643b0c583a9ad8dc2927eaaf8c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkQU.exe

Filesize
890KB

MD5
7ca383c3d969e72c3c05a7114cf67bb3

SHA1
8f4941249e051d131c95393527a765b2b4870e49

SHA256
891f0d2783e877f6bef534bfcd37ce8663927470ea4815a3608eabb7ac52a81b

SHA512
ccc73a51fb226f745b0efff026943d7e54f6e33fa14ac5bc8869111bd01e0d42a7d5deadfbb00e5ae6deef2e3c8765af4d0406809d4d44b73a137cb4a2d32e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kwku.exe

Filesize
118KB

MD5
e4b2baa58b5b51edcf9d9c77a32dc900

SHA1
51b64f4c623e2caca65ce0b1cb960577f083faef

SHA256
2229dd8248b5be2387bd651a175eb38414bf8f56d1e12d6fc0ece66fdabb19bb

SHA512
b88d6b77b119117e461415a48b030259fe11e9bf0924a0da201f21bc02c80d034887733627ab24e2b32896a39a4858e33dcff7f44e58c51fe2928221f1f728cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMgA.exe

Filesize
110KB

MD5
a9e253ebeb9adbe6b3d052a887527e26

SHA1
8be0a9aa9df9f962da0bfaf3edb8d2e9af7ee3bb

SHA256
a74d3c9a5035b498f194baef5dde8aef412ab7676cab5fe0a728e7ede0f34462

SHA512
5c7d1d5dd1378bb0d206020c9a00ffe9137e685f45413a0e6fe97a98a179b93cd56aadbf55d613d74de28aa53b7de982bcf6167c546f4e8b692a6923f68dd877

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkIq.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIAa.exe

Filesize
352KB

MD5
9a8bd5581786fad6d571c59669181ea1

SHA1
5d1877fedf7d81350b00e39ebcec4222019ec8ba

SHA256
f706fa347ce9178a5ac86e79d4e554578ca6757450d7d8c44bb5140c252d3742

SHA512
feb1b28a4d367475aae16b1aff18c4e21f1558ea4839b2a74d8e034bc4f08703721ed20ec804f62d3a7b4174ca8760eaf1ef88274da34618fb679f7b0d0406c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIss.exe

Filesize
111KB

MD5
830a8a113835717546c0b0475c8307ae

SHA1
abc4169f309f9cf1c90bd47f44d643e1740f8e79

SHA256
f75da47be2a9065309be0827e8eb701c8673a2b7066a7b4bff4cfec68601e8ae

SHA512
fa51685947aa894c6867a45dbf55c199f5b2508029206e5e012f0d6f9d2b64ea1cfab36b314d403667fa34c4336e4d56257c30b497bf7e1a6966778b2d300106

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qowe.exe

Filesize
115KB

MD5
19497ade49e2f24112d6f8c82254e89c

SHA1
f15c7ec5bd6b7046cdce21306b716954960e3d2a

SHA256
ebb09cb6363e9f424887359cfa88d879f6f295f8acb74d25fd91a7c11db8a2cb

SHA512
8c614678f96aad8d27039860e7392d9871ecf9c46bd8085b249eebdb383019df91dfae5bb3a8e62eec73e7d431bc1d077fab5972680f32cc71e61494ffe472cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwUE.exe

Filesize
238KB

MD5
9a3e42f7afcdcf1c25d9aaa596dbb40e

SHA1
2f30371ebc0941c46aef753a1d60e39e6cbf0a41

SHA256
b5f90cb8bb532c69d507d6364a6cccca5d497eee743491c0bc382f3a0e3f2e22

SHA512
6f1229a1ed63895b09a81a5616249fa3c6396ae4a670d27110446f81f8375e612d8289a7d32631478e4243ffc8236072b08a306a41b58cb8dfdd42d52cd183c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAIO.exe

Filesize
110KB

MD5
76327ec31d47b1df1c84a02401396f6e

SHA1
1b850c52d0e0d147045788488fe253969df5fd9e

SHA256
5dbd35d8c92665070b388641c531b4cad7ea7b06414bdcdaff32679c6013f4b8

SHA512
87557771fea0b17e0048cd6b0716abbcda68036cef6f6c27b5ba18d1493a695b244cbc2a9d4d5b2cba89b3e2249a53a1ebb4bc80396afae319962dc075e10925

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgQi.exe

Filesize
111KB

MD5
1211ebf45a999ffd24af67b8ffbd1c57

SHA1
5af9f76c6ee1b39368c24cb995e33504d97fb64c

SHA256
33e42f413e4127be6e039e2482fa1149a53585741c7ac26888ecb1a8e400d14f

SHA512
eba8657e3dfe0f0d29bfdec4aa70cce2bc1772dc69b44e02cb3f95c9ad2a68e55c5e66e1b48715a124e04356ba74d9b3ecffdc3768165f81ccbbfebc326494bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Swsw.exe

Filesize
118KB

MD5
973b6ab47a3f84962cbba2bea4f945c5

SHA1
6540a9496fa8518bcab11476e43e9d3cb773625e

SHA256
3d257b1122cd919589f75df7da6ae8f9594e6cb9dc03b76d3da061880f3b0ebf

SHA512
04e46cfcdb4536c0516fafee77bdc48c959707c7352d111fcab69a159ee69d69cd68d77066eb1c8d8ea75f056d941672bf013c0e584c577f460b39a388ebdea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMIA.exe

Filesize
109KB

MD5
b04e5d5f8cee5e6d5c3e25b45b65e372

SHA1
b29c24af10969fbf39dfd28a3123c7deab980ead

SHA256
a50730d965dc5289fa6e07cbb46656469b31faee17d6cd6eb83767f168383c8f

SHA512
9709af0d84bdbb61c0852f0a64874b605c695b72f1547597ed3caf6f46a96e93627b6681d5d151996ff1292d541c9c43c108be0d26a5fe5e7950010f498ae7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQEG.exe

Filesize
112KB

MD5
8073a1217b99484253207d8b884782a7

SHA1
348f93996998f2be5db14691f06168a435da7bb9

SHA256
5eebf3d73408487039c220cdeff8eea0cbbf0a7a25f1523baa5e7963997eb4b8

SHA512
a383bd856e60655510ff35c2a07dc102b5c673a057ed4a8cc2eb0a59a5626fc23d52fbedcaeb41a2fb4a8b6d21c3791dfb7c160bf2952a0771199d73eb2d0ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQoq.exe

Filesize
112KB

MD5
4a3d02a3f4ddd0a1997bfce965fafc4a

SHA1
624831ef17858819cd632e758b93956153a322d5

SHA256
2b9efddc3c4da8f65b67eef3e8398e80c09913c3576eedf1b3eae61e344bf11e

SHA512
20456192fd68ce0155246d68bb07accd866a9d7a6deb1b9cab4dbafb8b2d86b147672f5f754ecd20bd12a1847f0d03dc121c190f5df5feee2d2477bf56a92d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UccM.exe

Filesize
113KB

MD5
f096ec63ac62c79f96f892df9cdb3e4a

SHA1
ff542c47c96f5d08d25be05c94415fa67892345e

SHA256
847074a18b3777c11ff5e093346d00eea1d137a7e7939bca99a079020e57e816

SHA512
0f721d3bec665b2a65db6fc30222c60be93d99d74a2e8c41ab22b2b846348ea6fefeeb7f879185eb4a8df9723884f0bab3991970fe562e1087843e1471703ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UckM.exe

Filesize
721KB

MD5
f0b7c22b07a919f79deea33480ff842f

SHA1
8b1ca9197a2b95271879f043543515686bcd5111

SHA256
785dc9129ccb2bffa3116f01cf51254c63d2168d3de9106b229086fed30110c9

SHA512
e09d641ae6e85d5939bedfca74e92c0b17f35f934ac68bfdd797e143bd73b3c25d40b23e93d8d00fa4a8ba6913ef09124204240135c993e71b7069c4e8d4293b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEYo.exe

Filesize
295KB

MD5
8ad61b5928a9763b29077c69a76f64a0

SHA1
ea374e54d40cc7f86db573eb94f6949d2ebee1e5

SHA256
2d5258cc5b7eefcfe2d9ab77ae7b1c27b4c95d3bdb7cb8140df9d628784a832a

SHA512
0e9b6788588a51fb6240e588e12983339611c694a1463e8d29fae0629e88cfc40b3025ee77a5358f7b262a754136e0c81a898a9940b66d02d3edd35ff9c5cf0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMgE.exe

Filesize
963KB

MD5
dec98342dbf615fbd98524640be4680a

SHA1
584bae88218f0afab83df2c5dc3524548acb4d61

SHA256
4ffd6b91020d86f317e00b7d6a2440fd5ff754267c07edf4d3a8a1fd35dc0cb5

SHA512
3d43b010e0eaba9304908aa60b9336d50741463d53ff8c1ff8b185d3a8979ceddb027012daff2bf8e988b528499dede224db4f4422b46b711a89142425f67489

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUMA.exe

Filesize
555KB

MD5
05d3f9f0421683e2951be7d4309362f8

SHA1
ad631a5d439c6fdb86eb8797a31703baaefabb14

SHA256
694304347fbfd38a5e519a1e73e69345dbfbd6a13bd827639de2d302fcd7d4fc

SHA512
2cb5458880bce2af06a2a6cea47ef9834d28c852a6c334e48b03fa5b5010c812f8942f43e9e8c80a9ef08568007d1b86503dfa907bb273d57bccce99b6e87a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUcG.exe

Filesize
111KB

MD5
bc5e7875afe3822629f5c061c75d1e0a

SHA1
e5a7538143988ccd1dac84f82b2241092fc76ed9

SHA256
4f713130adcee932eaf65c5b2c00dbd768535a2062654fd292e626d66920abd5

SHA512
dd78a0fa7f54ba26cbe59887524983a899dfd7f046211e82b8002bb16c49eeb5078f6a3038021cd5348350890dd5c0ea044a9c8de9f2e69a07af61b321a80cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgQk.exe

Filesize
112KB

MD5
574d5ac2269f6fed08ea4b0e7516f245

SHA1
610d7716343374c18453e6689d7f9f65a4790e9a

SHA256
ff920f343fbf2942614e20e35ac620d68a3818f514cc78b45a5d58a807e4a467

SHA512
4711b4fd25bc4c22e2db8cbd63ec1949b48395de07acc66c9eb60b2b56d59b5b0366090a4a120a1a1a6e7db18de8b420fc6123c8bbc74b02bedc034c9079924e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WooE.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAEm.exe

Filesize
147KB

MD5
d010f59515e551bbb08dda6f1d8d7db3

SHA1
bc5c2545186a00b9519ea22c84936ec3dfb78fee

SHA256
07788cc46eab229612e96d03617fc6f70935dadd257f06684b08a70a9aee2283

SHA512
45c2ad0f05060fb2ac4babd3db8c60adbdb6d4101ad065e273990645c7fd7369c0ce0d48e9d5405544c3e13216820673b7b7d01a3bcdaf5d60f7ae10f857a34e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEUs.exe

Filesize
153KB

MD5
858c8ab3ae53a277d79f33b1fa370e02

SHA1
390bddc0d44b56298669e44fcce5846c860b1fb4

SHA256
94294c1a7169db9f767d452c3d3ef86c8904f9d994e9d085824e32f6da0c8336

SHA512
5ecf8b7f61ce291691de9f3d62e8603b822f818217374ef608f839007808c18d82abfacabf1ade55c92de22fa9b8684d3dcf2286d749134fc45b7933e5e51226

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIkI.exe

Filesize
117KB

MD5
da8cae2795430da4a81f71a89d285529

SHA1
cecd4a4efd5dc76d5beadefb2d10460ae481c53f

SHA256
4f6b63d993f9716f906d523ba5b64c62970b8eb13b505d9f3d5265eee1b8e857

SHA512
6cde92d9197a6e39c045df42f6f6b56b30f272a94e3253976c69f358447daba57d1a1de1bdbefdfe9697c9f8d9a0e41cb093ca6fb98b9ec2263457b616b7a50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQce.exe

Filesize
110KB

MD5
5839c7a68d0cbb130a40278d51eb8356

SHA1
5f6ba83e6cf2df8b10701c172906c393370781c1

SHA256
76e1e977f24341f8837ecf8b933b11c606a7022a3e7f2b831158cc3180aaf291

SHA512
83a6501b293b9ddda9f02147c9b0db1c976b26953f7dab97287979eca1f5925e534cb0925216069c119e0ac654afadca0e40d4bd12e533d60b1006b3fa532f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUMw.exe

Filesize
126KB

MD5
e78eadf510fc8133ec007d770f34daad

SHA1
dde49ac418918dfecc9c135cf48d32443e25a05e

SHA256
499e40758d8d54c387f9de3a012289b4b71cbe9eef7980333788066580b99553

SHA512
cb4e12e84856e070cc813e8bc28dbfb5d2097089249ea5f4d71419d1d309455a5f03bf76f2e69f5f444dc0f717a759f5ee08795d11b11d6a260da56c995a31ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkAE.exe

Filesize
121KB

MD5
85e339e5e571c10cc6b357c8359774b3

SHA1
5ddaf8e3819c4db4010a3ac143724e4b9ae4fa36

SHA256
6ce7e9e1f561f9c59603cf5390612ecbc2821894057da360a994f9a497403c95

SHA512
438fdd93066ba6fbe3c3e307a3b06d90f27e071e609a0a671f4ef186cac1fecab3fce276cd8311cb34da604ddec80fa2dc438caaa9f9575a637851268efceb2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yowm.exe

Filesize
114KB

MD5
276fc358dcaa8148987b870dfc7ebc82

SHA1
f7cc31365b3db7adfc5cc08333d9b80632d69afb

SHA256
914aec148c797311891a27b475554b99894939dce9a250191b13941467aa75fc

SHA512
887f06c2dbeb05e055f5e5019e869597f66913bfc18f19ed45a05cdcc14682b2a9a06cc98b6bbc404934fdc08d6dcd385e276e03fd742e6ef5d4287ab59aaa0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAEO.exe

Filesize
116KB

MD5
e40c3b9e8f726a83566d7b6b366c6125

SHA1
8aa1a296b1c9c2d7ebc81e239c907e2001ef9f78

SHA256
1591d4ed26385acad289fa41cec44f351b360d5c1c04d71c5e3c8ceb8ce42c00

SHA512
def7208ab0ddbb9bdb14eed4bff09a2732b60f3510448789e7d9f2b4cae53e71763449041e385cfd9bd6e429290929e7148feeb133aaa41ff55407a52f0e4c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAkK.exe

Filesize
113KB

MD5
290aa2dfb030e594c1fcd53631f32fa1

SHA1
052e8850cf1a54a286b25513a1ebba7c27078ccb

SHA256
ee79d8aa4b3003fcacde4939f9c6e251a0e7952119200ded5b546c6b7751e3e8

SHA512
48b781c8563e8137d0420b986d0aa88b40cf5e1ce2f8393ee1f9cea3083050ec1da5ccf22c222e167069b824dec35124ce5e74e94f06fb495705acdf99cd8bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEoM.exe

Filesize
139KB

MD5
8e85414ddb18f496ea89acdb0b9f5b15

SHA1
30738d75d7b36cb3da151540cbef045ae14fdd53

SHA256
ae8a11bc97450c4bb502d903944aabe1e84c3caf98c14044ba2a4c46369cbd9b

SHA512
e306b4c6f86aac7d53ad5bf8061f4822d7f8bfc1e58c7ab9a559be2d01d868b5b8bdd3b1ab40a253dc4f1efe9a33eb1a58910c5808b17e9126fc7708bd284f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMMI.exe

Filesize
153KB

MD5
302af867250f63a04a00a8b94b5cf484

SHA1
bc23e8a79e6729e19f7a847ccdacdaf9652c835b

SHA256
a861223a9bf994c50f5176b7c52117e803d7961aa9dd5e9e2ff0c753a8ade7c5

SHA512
43581d47176e605c85a44b7099b5f37cb1bb0a66fce589839bdad751511c5496c93f95a984280e370a199080ceea35319822dcee60ad156f448d5219b62c240c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUAE.exe

Filesize
299KB

MD5
5958076fbbd0878edd1cef9d9d672175

SHA1
faf3204dc65ab4279fe47447374fb378b0253e83

SHA256
4aa6e6029d2e68bb3336877f32a1b3b49a57374124d80bbfd8a0201abd57d100

SHA512
d96031a0630f933c6f5a92a47707245c39a2b02eecf4b15f3addc88467c9c4a923bbdeda87484727bde7986dd7adb1c74c9f47f1d6eee029f0fe3fe33997de88

Download Submit
C:\Users\Admin\AppData\Local\Temp\awoE.exe

Filesize
117KB

MD5
439875583d509ccbe9d99c658eb3c14e

SHA1
cad63e0e309e4b57616e8c808bee4e08885b6582

SHA256
a0546a4c48afab18d8f51907e8822577d810e66c9ceda6f3d5b6bf8c0ee1b49c

SHA512
c599f6aeaad106c61bfa518b19d7855beb0488ae185e4647b22768ad4fc9847c19af647722b9f8b6592bf1463752c9d3f71a0b2e20a7e87054c0cf388ffbaf2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEIi.exe

Filesize
109KB

MD5
87d4262d6d9e5f534555c8a6ed6ceb63

SHA1
29b6a45bcb45204de8d61bb97d8a1ae46b749c71

SHA256
c80b4d90ae0490001a811a58456c0e267403ed40e6b1f759b682a2e27cb0bbca

SHA512
58d1b89a442c6f8d026c6cc04b1f68bcfa9a36af6aff30ad5e57672c0be6a76f635b26ebe7424037bce7789c66855519d24a57f1ef1862ffe523410ef2fdc560

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQEM.exe

Filesize
697KB

MD5
f35dd7d027ecbd955336abf1d5c01876

SHA1
e09ae0ec7d70facec6fc664d7e684d54cb3344b9

SHA256
3bb9fd1cc63d4dac84aeaf09ebbaabf9175f27af87d2ff6c6455f756c83d8263

SHA512
fac90003c75d776e6fe9bcf024a195928f2df42547e5b43059cc0efe5790a040eea16c066184aae318fe9944370dc8f4588729cb7def03b2fdad1437c7605a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYci.exe

Filesize
117KB

MD5
c5acfc8f2e7c3bba941afd1547556731

SHA1
a1aebf33359aac426a65cbb1e170f28d302303f1

SHA256
a6e13a181f4476e87268b845db7f166e7847ebad12d15d270df555bf46e95f6c

SHA512
fd1e87fa68ff0e2810ceef9155e5d93d5fcdb32c78c18e6ef93a8171417d6e3d5105f474957e12f48a161684cf485344ee3ac710838d1b2a411520e9a73c998f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwYE.exe

Filesize
111KB

MD5
27ea9c94cdfcbb166dbc76ac29e6c5ce

SHA1
fc26b44f0515fa11d0c685eacbe4e9a98e4ea45a

SHA256
9887b70c50d5c8fe66cd01c385a256e48b4d13e9d09c7aa8ab9b691b085e60af

SHA512
a43ff8f6febeecda49322520a99ca534ef0107640f0014b98fdc664a6d8613fc278c5275bbef3667b31ca23d67b819fdb1774f622c6eaae45165ced0cba6efb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfe9a90893b4ff71f5fca648a3bb3fba9601f2d02eb6a3874e88d3851bc6a079

Filesize
2KB

MD5
35187f94bd240bf691955f0838deb12b

SHA1
2a5b89516f4c60cf569ccdf18853586cbf6ea144

SHA256
208fd54fc7819b2f69e10cd3323068e3d5a449245c1aaac70ba1b0414c924d5b

SHA512
d68610af0f3b2313277d6ec177b7ac1e4639382bea60631136ec766b0bb240c752c3e1947150ce5fd30afd9846173021fbe88b7f084e5048f8c3243bd9e2fdbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYgO.exe

Filesize
720KB

MD5
d4bdc1c37c86de750c5250108bc0c9cc

SHA1
f3131bd1ca8c1b0bc68718f5b1d0c524f04d8e98

SHA256
7533028abd66fcf970296750a8b6b69819b465785f6544567b5f1ff8e8408ca4

SHA512
798999168adf167973379041e3923ed0f4d15e0a177afc3d70c2051e04de1d1c175f1a440a8b9621780294fdf226dc2f8f30e8d9f828d18a8c35c1e3be0746f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoEm.exe

Filesize
115KB

MD5
f75192f8ac491f929b4c3bf67a62251e

SHA1
76eca28ca41ecc2d3ec6c1a34f9e703e68b5287c

SHA256
21a6835cd7abd44b86e868a9c743f44e1f8cc85be7911d3ab093619bcad8ab2b

SHA512
cf150aee4837defd2be93b6b9f913e200dadb9bcbc1dcee8f70bf6a33d4327ff88a283708c46bb2cf2e369c0290726755aa25e728a7edbe7abac8ccd6bf95c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIgK.exe

Filesize
112KB

MD5
8f234b0f628e7e94d2a9ec12fe3bd5e5

SHA1
dd53b9640acd76b8653ef4965b928907ba2d118b

SHA256
982a7dcc6c8f6c34b7c8d5b2faab35225a7929e8a6e893f4ce1f84babba2a398

SHA512
73a9f3cbe6e036b9641283b022461853971ad2745a5f70f967c763ef7d05937ebbf42eac1135fd058c9f15871180065d689feca10b949e7f13bcb27cb07712d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gSEwkMUI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggMQ.exe

Filesize
115KB

MD5
de934f468718e1ccd39b6249ddd7bbb0

SHA1
0d5fe8409493943933553da31f0e2ec0e03ee8e6

SHA256
0cdede73508c1fefa81eba96d750005c7187eda53f21ac02cda0d4b5045cd4ec

SHA512
018e417910e352fd37d923b6b44a66e9562041e1cf615f2e2431348c39fa35b3ed931929f5859bc76d5372bba29bc8e2c799e5c4a105bc20a73abfd2458a44f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gogG.exe

Filesize
121KB

MD5
fd5e6c970e9a63d92d10352c604bf9ea

SHA1
90a02cd786dd02d07d0ad54eba2aedafbf24a55d

SHA256
2531db44b0418fb507361adcc6c3d2b3acce17b13e13df7e332825aa19257079

SHA512
baa0a0fb77189c1e341db859204d9ebe42e7d0853f535557c76c4c1840e0cfe95a1e6a16d1fc51f01f9632717cdec2d9cdabb7b8d327f1672942cfafb83d7def

Download Submit
C:\Users\Admin\AppData\Local\Temp\gswe.exe

Filesize
138KB

MD5
b34c4c3547e662ae78a67c2fb769667d

SHA1
d86d994ce477592545dc449fe6dd640c9301acc7

SHA256
27dcf6af3ea61104c7db6b6e71c6766f213f648ee44817e634df6bf22243547f

SHA512
96392553216739d33108ff23e0a7dae219c351412a52bd97280881b17bd1b31c54492d0b7fe95f9690c9c7cd3eb8b7c8e7ef973516739449a13fd1fda2ec76ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMoq.exe

Filesize
112KB

MD5
20e7b8f498232bc7d3e448ef53f40578

SHA1
24a7225d3e638092507321e08760ee03285a6349

SHA256
d8ba3dd9e278eb517b4de1c9872c070ab19ad7b85c815e0c03b7398b61e771b7

SHA512
66250c04b49df93ef5dfefeac2fa4c1da0ee27a8f8458f0120c47142cdc5b5aaa9eeae0ac309a45c878cbff3af78612b5e471ab897b2303e53341397fe70e0ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioMu.exe

Filesize
118KB

MD5
dda2f96a71f8ac08ba498617b978718a

SHA1
9a77f82490d359f6f476768efb29eac02ab05cdf

SHA256
2fc1f68c36caa1f2fe2f4069a2506e9607cb427007078a5ea0a586ba4b007b8f

SHA512
1e63090f0964a0c57b583952867d6eeb42cfc47e6eaabfa7a998ab4e14f588a46363501fd21eb7c2b8c3c19417d412536c4c893ccdd90b0cc3c7c5c6b5fb3966

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEss.exe

Filesize
721KB

MD5
3d7c5be5255693d0faa5b060e04a4f81

SHA1
efeb86c69874fda48bce6211784cd5f2e6aaf310

SHA256
34014d85cc1e2020a624bff332206754e96961fe0dde698dca1645bd285f0db7

SHA512
56dfb01dabf2473c1fa59892600ffbe2ee2abde550eebf481276e2d53db98963685f716d34997dc91c5bf2667d1c7fa42d8ffbe7b3ec785c78cfb62b25afb141

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMAS.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQEc.exe

Filesize
110KB

MD5
116cbedf2d1ba2c6f3e0d75bbd397fd7

SHA1
732b219e06d765cfffac0e9306cc58918a7f6460

SHA256
3d87ff25420965edfb6a5fec85e6e584996adaf694e7d6cc25db70b91e924dec

SHA512
444572141cce66646bbf363cfa5c3bdd19054aa176b9aed1180f4b9e4be1f83dd519099f4fb667f87d0849e20e0102e207962854e791d784b496be6f3491be87

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQsu.exe

Filesize
120KB

MD5
85162bca46f578201f08ad7d7dbe22b0

SHA1
2bcd090091901861af2b678de9ed37f805a73e81

SHA256
dc2b3fce7763e204a5dd7480d055a963d5f5400cd7a26b658b582f66d774de65

SHA512
f294fd70bca2e531543dc15b46a4810b756b5e1449f6f8809552b1a6f20b545bc4e5d19c7e76bfb30974f616f1e1502ac56c5f641cdc36c8cf5357c6d2357856

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAYA.exe

Filesize
114KB

MD5
88f3ec72ca4ecebb0e11a33df6b27754

SHA1
e07637be5ed7c8f316045dd6b43f82760c1b80fa

SHA256
51f506da29bbc0aa927fe6db0474d1b8f2e54862d8f6f923b6ff3b7daea70d6c

SHA512
6135c07dfbb89ebbe9d5d4bc2f8a214dfc15d1d807d1f6a0e58b505aa98f933f3ee51c5d21fc19672023f6dfaa79d483c6bfb68689bc00614aeacd6f16f5cb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIsq.exe

Filesize
111KB

MD5
e41482b602349ba1a09939808b9be79c

SHA1
1e55bbb98a4f6a7598ccf3f5cab7bc69046c36b4

SHA256
981d370142d8a7352e58402816d8a02d3bf40e0d11413d4b70b345a361243b8d

SHA512
0b6a28704f966544bb9e9ce02585f0564d53318f32bc9aba4767681398c1d11eba89bf75e750924d7d71f8dbc21ec5dc934510240db8b80672e6a64deca2e90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMcw.exe

Filesize
565KB

MD5
c847bb5d7d0417e6a46cb5307bec6b68

SHA1
9bc8445d3105890b976ca03fa44d8511aae34ec9

SHA256
63d49e59d8c3cda38a2ead255e1db5cc06f3e29b7c1bebd61685d95ff0c53e5c

SHA512
984f622f309c132c75ff05fafcd7246ed0ff71e48a2a3cd0e907e7aa184a816c1dc74344addc9117ba6fd594dffb00a36934f72b18ceefc3bb29b7d0ebe4ded1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIsG.exe

Filesize
348KB

MD5
3c46837280a38154cafe4451a5b8316c

SHA1
cb83ac3cb392d2b6b2b756fbc1102a59e1d443cf

SHA256
7f0830425917788098d77af389b06f636ace3f2649636ccf5b5870b6c812685f

SHA512
7744a44eda1e21fa7ba1687636ea47f89d9cd09af7fa96d19f725171cc7436e3a4f7e0cbff386b997250522cae50c04eb1065ee00fab170a4a00b8a8d479258d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUYq.exe

Filesize
110KB

MD5
ec86ec2a6ef4bf954bb562a546382f30

SHA1
d7f07d8f4100572cb5b837603d6bc6c96bb1b866

SHA256
c88b54bad83efb6c3b534c99d5a1cb09d17c7349b19d74577b3df1655d79fa25

SHA512
f8ee812ef20f1b32f961a24a20f646f09ba38b85c2e92683efb381836580b6276d2d5359400208b84f71f826d123342ec27fb67b4b1829895695ea8b9c7f61ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\scEE.exe

Filesize
110KB

MD5
f4a13fc1ea3691854484f9c8c5484942

SHA1
38edaf67ecc851cf123f29d1cfe13abe0ef94cec

SHA256
1fd65cbeb152c6aa6efa6d5d002a2251b0f3cda9e6167fc9e8df481314340c50

SHA512
9b3276f607ca419d0ee94d6fd4b27968a7b05e667b49d64c1feb2d2a2728692aaae93403fdfb62870022ada51b8a234b5f92de2c8a889394710d8869c0efe80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\swIs.exe

Filesize
113KB

MD5
c2e30005dc3a244575100a8fbcbb4f88

SHA1
869f8ce2e0f0e1c8e42ac43cde7e93d84200e610

SHA256
96ab82cd3458f8ec04d96e9fa44059c5e94111f80bf3ac4e9ed5cb3944371c62

SHA512
e638a8a29b042192925edf942792dbc0feb2e5d69dfbe68cba1251fca41443866f937a64232917839d032c6cf9def5deb33dbca34e2ed4669cbca6951f1b712d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAkc.exe

Filesize
110KB

MD5
bc62c87e0c3d997ed28b1d777065a843

SHA1
c7bcb2ff47d20ce855763433da36a37061f534c5

SHA256
e182325f4ed424f9f616c35eab9e9579da41aa7b04582203d174c1132f0500d1

SHA512
147aaae1b3b67eb670f82c16e724d9fc985de099f7a16b9226189ea02e5ad5d76314dc03de18447a90a215e2c26af485199bd329eb1af2db996a89985c7ad6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEEm.exe

Filesize
112KB

MD5
f2d02e15423b3bdc10732c71984883f1

SHA1
7269b0ccee0edcfaa9c3e2855738e5d05cb96fcc

SHA256
2d411adc8d9a8c5e3825685ba8110bca733e285bc0b975f0b935daa95a6d3e3f

SHA512
c9bd409c82d538d6319081fc33aa1265b2d7841004d0425967ee1b4a68c351b922288973daa87e126876dd6c07ca5d6269ba08190b356d1e31216d879433a1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMQu.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUsy.exe

Filesize
117KB

MD5
275f6467cda5a38142eb6a9265bcd614

SHA1
8a9f68e409749781b0de450f5e95b24d4edf1b88

SHA256
e1930d55b1df9561422181a3042cc61deea042a550694130496523cfed271d93

SHA512
0a1be0773c848f40d406ba537d9128f86be7e9a22104c3d4106bfde93d2465e6916d59755f145a6550f159909149e645c1b97d22e269cacbc62d2763640e51a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYoi.exe

Filesize
116KB

MD5
6279c00684cf2bc811e566f991834269

SHA1
ef5f39bee6b86fc12592116af51effc1682a0b96

SHA256
4b02098fb762a8a12429ff06a44212420f8639e3177e313866bcc6eacd5d5fe8

SHA512
54337f46e066acb2bd29e2747cdb1455d6bd56bdeb715347f4aa6c0d500720a897890b99e5f47e295ef32f5c77e19461b98bd8fd46b623726aafd68f7775a02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucIG.exe

Filesize
737KB

MD5
38f54ea631de0cfd8941a7f8869f6ca4

SHA1
3ae96529caa4eeb49b470515e78889c790ffcf3b

SHA256
f3c0348e2e5f75ce39cc8519e982109eb60befb19c5f935b5fd9f39678286578

SHA512
83e037112814a7fc8d55d6cadb05435b5354cc915da9edfa65e7932dec582273fb80f07cbc29de71c3a2a2c6d9ddbd4c21b1d1eff423d364c437c0679590e538

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoAG.exe

Filesize
113KB

MD5
6b27b5a259582c93a32535e95bd32c2f

SHA1
91dba70e5114502c7b120e5c4298f695f2e65082

SHA256
11f08e3e331033e413721ad96c01c221f129d253d8559c43f8cc92a2004ac683

SHA512
8d47fb1de24e4cb295e081f50b421987924d7364c944ad883ed34c03f9546e66cadab9b1b7638551f07dfcb5fa1364fa59c95619100ce0877914237274b4ab74

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEkM.exe

Filesize
121KB

MD5
962768ead7a7b7612bc8fe355c78e2a2

SHA1
119f0ef982fe280944e2a4ff97c40c6851178e5c

SHA256
e055cc657864656ee319d38852e92dfcd887b690a825eddd33af1aa25a734726

SHA512
e64e4b784b656b481808b5ee8e59ae5d964453bb8df5cba8a9dd9fffbb0e3bb0427aa0811348eeddc7525e341310a9a111fb678fe91a6016789270f534ac87c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wggs.exe

Filesize
1.7MB

MD5
eccf6fd7b0a6e3711177eb154be4db9a

SHA1
93d6530bf02b0de927bfbff62733ed87bfa82116

SHA256
10f103f2700a71912cbe3fe7945d3ccf5a08dd7b5d3bf49ad958b5070f2ea393

SHA512
398417d762c2e1ad6d7ee3bc2cfac275bd67809005bc9fdff7bde4b76a7bc4e416ddbcc592d998261c12257b852ec294c0159f2f8c4566c52faedd5660618780

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgkm.exe

Filesize
134KB

MD5
2e3a084f7336783ff4d6766db1a1c954

SHA1
925e925dff0db5f82990076750af6a34fd7522e0

SHA256
5eadcc41c1cbd58eb28b330b1480dd9842ad936c83a67eb3bc879a82aaea2932

SHA512
6607d703fd19829fe6e90f824a32340f0ea969b462470d5feb8d3036aa31ec9b883ca79b8bc5ffc0466e57745c271453d57d5724b20a589824bb7cc00b5f0f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgwK.exe

Filesize
565KB

MD5
58c99b82f36fc6db1c5488cbc00d0140

SHA1
a7345e243f38826d902710eb4a04c64bce3a3df9

SHA256
e2f7c7a955d700dd27f26f0523b877358304972a4f40f02bcef0e303f0ac7bd0

SHA512
645d997b070f57980bfa9867f58a0909046f8ec8149ae488734120a668f5894570e4f1444a270f090ee6e6db199051f075b42bcb534a83948f732d9e23ab57f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgwq.exe

Filesize
113KB

MD5
b089762c4a2eee5c4fa619e24500d183

SHA1
7683d5ec644ea8e35abf7c322d7afdd91ac1ecbb

SHA256
cc1e7d5b1af770b25a696a6664cb03da7ffcbc8f237071e174d99d187eb87d2d

SHA512
744c60d341089d4d8db39f1ba4092fc39471d5dfe7b241d3a80d5a55af6f6094556443ed4d4ca6f6469e1159c15d1ab2033d19c1f31f71acb0ca0ce329ed6686

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkUQ.exe

Filesize
237KB

MD5
3a51b630075506353b759feef4e3b242

SHA1
b30c2c04c612282dc63b6a4a9adda15f5913a534

SHA256
26f205e7492bc633ed4657f4f878c0ab7102b5a837ddb536b4aa42bd44881a08

SHA512
b28b68abc3669a484ee5534da698abd2b2374f1eec757616c98ca8e6afc001d842d3b1b02e6fa34e9244d8d6e57af1dcdb69dfaccb9c35e6df3b1518b27a4a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\woYa.exe

Filesize
744KB

MD5
8611a32c854a3cc5facacc2a0b98f0a0

SHA1
7211d23d072b16422b34de62f0af2adaf07a28a9

SHA256
d01f44c35d541f0a55c9e93e963d433774810b2dd463719c737ad8ceaab5dede

SHA512
255b3b45269abf47f3d1773ac4b9ccab598c15207be1c11e2581ce7c0b6df28ca5cd3895cb73a9b31b47393c9c290e64960475c21f42fdffc570766066041bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wogA.exe

Filesize
700KB

MD5
4f6aaf5ee87bb9f239ef79e12974d2df

SHA1
f6c82c9e47959f064f1ff7363f6759d6b195811d

SHA256
cb23b7d98daf10a5be2c545b07132d52822735409782837a59af4752480c862d

SHA512
ebbdfb024850189c7e522d9f559523b387965722c54f7525a9015c1b6a198583db80ce51bda68d7497eb89597badc28fdf57fb331ace00da24d534a920e1864d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wskQ.exe

Filesize
744KB

MD5
3ea72c87a7dc0d0848e7ae0f388f1092

SHA1
6867fbaf2132b70ca4882fff07606c324a311a0c

SHA256
300ca6841be3624898ecb8915a532d5fc1e155c97a3c361cff5f61cccabf268d

SHA512
567e580e3b1c483aaa8d9b48fcb948ac443af0c9cd8c00814e47cdf9456e38176c079dfaa1edc3ae04a6c9248e3239653d07960198b7bea273286efadac4fa7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIsU.exe

Filesize
114KB

MD5
872bae050f971d22573b49f36088c49a

SHA1
c826a8f2340f364a282784ed5fad03f66fb8e06d

SHA256
7bfdf66fe81350337d3da8273eab5cef9c1d46e83cbd5eead39beaaf14b5c91e

SHA512
e564527920c93ff53b4cadaccefae70c7919841f4b5325ab5a4de6353ae591c5a475ec94f8abcd1c822668702e6f34d376382c617e3f6b251dba617d6a4e4bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQEs.exe

Filesize
113KB

MD5
5c8f242a61956b14a499ec64f109bccd

SHA1
bc13b12708aa7177880d4382b7677daa6d198c4f

SHA256
c9c286a1c9181cc5d65c3c575dc16cf8219047b9c87ffa34ec9208ad03c67dff

SHA512
f6b796c44951aceee6ec017d4d049454516ff9c1cd97d1c302059affa0d7a21dd68a07a764a4f3e5e6caf12f13ce5627fabf9b26472d339ddda8955c5b140554

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykQS.exe

Filesize
115KB

MD5
7e63ee14cabeb74adf78f8d11a43bda1

SHA1
ebf9f24ac86adcf7032dc1e08db4e325d8958d94

SHA256
d6094050b21ac9b554af396f667f35585848ed994d0e98babc2cda8075190fb0

SHA512
e84fb6f2e6090f2e1473ee1ea7181a08e9332c85724514406930890e029bc7524c7d1f31ca2e0d0ac2f3046fa30577195694c1dab44ee55bc803d852763aaf95

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoUW.exe

Filesize
112KB

MD5
f3ca88aed070fe00cc63c191ab063b86

SHA1
067b02f1b7b07517bd32df0269191c05fea590d0

SHA256
3047055385a81fa949f90dddbde99b1ba658a6ed51d2a94a9b63038f49666187

SHA512
ceb333c23f901772fb75ee8e0dbb522faccbb76d48dfcb2835aee13bbc4e30c16fdfe674a5d2b8b965e077eef69572c77ccfc3efd07fb039859823356605910b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysgE.exe

Filesize
112KB

MD5
edbbe0f9625f5c170391a30b7a16f92d

SHA1
4c0c35ff05298fb4c3f195bacf951623e6f715e2

SHA256
fd73dfb64821b1fae288ea572449fb1f6e3c56ec5f5b430f664ca1a6ef2bd184

SHA512
9b1257a224c3298851febca50216b41eb42c7d2f71eb8a13b917cb18353468a1f0e2f47f36e162e48933ddaaa2b7247fb03f6eb07daa8aba2cdff3e4bb488f9e

Download Submit
C:\Users\Admin\LIcAoAAc\FywMEUQQ.exe

Filesize
110KB

MD5
64a286fabe8c4f4595621a4f53dbe1eb

SHA1
7253269f9e401df317759ca9a2c9bf6edbbaf0a5

SHA256
123e092ddfb086be862a4dfd1a2530cc45202a12ca0d7b9ae2e33e4009cba3fa

SHA512
50c07fca5d704d9806522d35f93b3d58048149121b95b9ba10e7f3885e9940df5be0efdfbe9b3c39b4c17679a8b947ec314d541f0581129af788772940c04639

Download Submit
memory/212-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/396-355-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/396-367-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/560-445-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/560-457-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/704-392-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/776-269-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/836-133-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/836-125-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1008-121-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1076-1485-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1076-1562-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1140-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1168-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1224-99-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1264-39-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1264-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1524-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1524-440-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1628-376-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1664-465-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1748-1483-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1788-342-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1964-1689-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1964-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1968-1065-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1976-744-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1984-372-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1984-384-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1996-1228-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1996-1293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2092-408-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2152-508-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2232-188-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2248-221-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2264-261-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2372-110-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2448-1115-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2512-1229-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2604-20-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2604-31-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2668-651-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2668-587-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2740-572-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2776-233-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2780-326-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2820-1831-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2820-1767-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2856-359-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2864-8-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2888-490-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2888-400-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2928-1370-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3012-253-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3012-245-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3064-1612-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3076-244-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3076-229-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3160-199-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3184-474-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3184-466-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3580-1688-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3580-1752-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3632-886-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3724-514-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3724-523-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3744-482-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3804-951-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3904-740-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3904-822-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3912-350-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3944-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3944-55-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4128-432-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4136-424-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4144-1151-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4188-177-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4216-449-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4232-1420-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4244-334-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4316-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4316-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4396-77-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4416-210-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4476-933-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4476-1001-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4476-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4476-19-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4552-1881-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4648-88-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4664-166-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4760-285-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4816-144-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4820-416-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4928-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5116-155-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download