1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Size

187KB
MD5

165ff7a540b2338d7b848c17c9e9e9ca
SHA1

2b4ccc7579cd41e57cd6e19108ea7df964b6b0b9
SHA256

1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
SHA512

225e7909b4587c2a090681de0ac870c5ad00f245f6467e51f1b99489d149fffd8e57907fceb435b31b30c4adaadb89b0e718a73cdace715369b269584bec41be
SSDEEP

3072:kxqO4KrRMCg2fMLAEO8NGzswbpA3fiani/dckNHqTl9EsRVKQoY:koOMCDMLANEf9iFckNK59EPY

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (81) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

pwAAgUcQ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	pwAAgUcQ.exe

Executes dropped EXE 2 IoCs

Processes:

cwkokwAo.exepwAAgUcQ.exe

pid process

3864 cwkokwAo.exe
964 pwAAgUcQ.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
3864	cwkokwAo.exe
964	pwAAgUcQ.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exepwAAgUcQ.execwkokwAo.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cwkokwAo.exe = "C:\\Users\\Admin\\USMQAEkw\\cwkokwAo.exe"	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pwAAgUcQ.exe = "C:\\ProgramData\\fGkMcgYc\\pwAAgUcQ.exe"	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pwAAgUcQ.exe = "C:\\ProgramData\\fGkMcgYc\\pwAAgUcQ.exe"	pwAAgUcQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cwkokwAo.exe = "C:\\Users\\Admin\\USMQAEkw\\cwkokwAo.exe"	cwkokwAo.exe

Drops file in System32 directory 2 IoCs

Processes:

pwAAgUcQ.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	pwAAgUcQ.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	pwAAgUcQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.execmd.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.execmd.exereg.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exereg.exereg.execmd.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exereg.exereg.exereg.execmd.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exereg.exereg.execscript.exereg.execmd.execmd.exereg.exereg.execscript.exereg.exereg.exereg.exereg.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.execscript.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exereg.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.execmd.execscript.exereg.execmd.exereg.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exereg.execscript.exereg.exereg.execmd.exereg.exereg.execscript.execscript.exereg.execscript.execmd.execscript.execscript.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
3392
1972	reg.exe
4160	reg.exe
3552	reg.exe
428	reg.exe
2180
2524	reg.exe
3084
3496	reg.exe
4488	reg.exe
4220
908	reg.exe
4432	reg.exe
4048	reg.exe
1400	reg.exe
2612	reg.exe
4084	reg.exe
4176	reg.exe
464	reg.exe
4544
3404	reg.exe
4084	reg.exe
4572	reg.exe
2636	reg.exe
4884	reg.exe
1572	reg.exe
2232	reg.exe
3432	reg.exe
1452	reg.exe
1944	reg.exe
1884	reg.exe
2600	reg.exe
2240	reg.exe
980	reg.exe
3456	reg.exe
1688
4024	reg.exe
2256	reg.exe
4680	reg.exe
1476	reg.exe
4800	reg.exe
1768
4728	reg.exe
428	reg.exe
1824
3448
3012	reg.exe
1900	reg.exe
2416	reg.exe
2612	reg.exe
4220
4816	reg.exe
3644	reg.exe
3268	reg.exe
1880	reg.exe
4772
1536	reg.exe
1364	reg.exe
3108	reg.exe
1128	reg.exe
1544	reg.exe
1340	reg.exe
1284	reg.exe
2956	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe

pid	process
4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
4016	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
4016	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
4016	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
4016	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2748	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2748	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2748	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2748	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
4780	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
4780	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
4780	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
4780	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2024	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2024	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2024	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2024	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2188	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2188	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2188	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2188	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
3448	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
3448	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
3448	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
3448	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2432	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2432	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2432	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2432	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
3552	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
3552	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
3552	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
3552	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
4772	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
4772	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
4772	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
4772	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2424	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2424	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2424	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2424	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
516	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
516	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
516	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
516	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
548	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
548	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
548	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
548	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
3636	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
3636	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
3636	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
3636	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2100	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2100	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2100	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
2100	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
4148	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
4148	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
4148	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
4148	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pwAAgUcQ.exe

pid process

964 pwAAgUcQ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

pwAAgUcQ.exe

pid	process
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe
964	pwAAgUcQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.execmd.execmd.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.execmd.execmd.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.execmd.exe

description	pid	process	target process
PID 4792 wrote to memory of 3864	4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cwkokwAo.exe
PID 4792 wrote to memory of 3864	4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cwkokwAo.exe
PID 4792 wrote to memory of 3864	4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cwkokwAo.exe
PID 4792 wrote to memory of 964	4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	pwAAgUcQ.exe
PID 4792 wrote to memory of 964	4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	pwAAgUcQ.exe
PID 4792 wrote to memory of 964	4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	pwAAgUcQ.exe
PID 4792 wrote to memory of 1572	4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 4792 wrote to memory of 1572	4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 4792 wrote to memory of 1572	4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 1572 wrote to memory of 4016	1572	cmd.exe	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
PID 1572 wrote to memory of 4016	1572	cmd.exe	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
PID 1572 wrote to memory of 4016	1572	cmd.exe	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
PID 4792 wrote to memory of 2740	4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 4792 wrote to memory of 2740	4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 4792 wrote to memory of 2740	4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 4792 wrote to memory of 3124	4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 4792 wrote to memory of 3124	4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 4792 wrote to memory of 3124	4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 4792 wrote to memory of 3996	4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 4792 wrote to memory of 3996	4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 4792 wrote to memory of 3996	4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 4792 wrote to memory of 3584	4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 4792 wrote to memory of 3584	4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 4792 wrote to memory of 3584	4792	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 3584 wrote to memory of 2004	3584	cmd.exe	cscript.exe
PID 3584 wrote to memory of 2004	3584	cmd.exe	cscript.exe
PID 3584 wrote to memory of 2004	3584	cmd.exe	cscript.exe
PID 4016 wrote to memory of 2864	4016	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 4016 wrote to memory of 2864	4016	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 4016 wrote to memory of 2864	4016	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 4016 wrote to memory of 1260	4016	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 4016 wrote to memory of 1260	4016	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 4016 wrote to memory of 1260	4016	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 4016 wrote to memory of 2928	4016	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 4016 wrote to memory of 2928	4016	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 4016 wrote to memory of 2928	4016	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 4016 wrote to memory of 2900	4016	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 4016 wrote to memory of 2900	4016	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 4016 wrote to memory of 2900	4016	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 4016 wrote to memory of 776	4016	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 4016 wrote to memory of 776	4016	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 4016 wrote to memory of 776	4016	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 2864 wrote to memory of 2748	2864	cmd.exe	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
PID 2864 wrote to memory of 2748	2864	cmd.exe	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
PID 2864 wrote to memory of 2748	2864	cmd.exe	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
PID 776 wrote to memory of 1576	776	cmd.exe	cscript.exe
PID 776 wrote to memory of 1576	776	cmd.exe	cscript.exe
PID 776 wrote to memory of 1576	776	cmd.exe	cscript.exe
PID 2748 wrote to memory of 5024	2748	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 2748 wrote to memory of 5024	2748	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 2748 wrote to memory of 5024	2748	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe
PID 2748 wrote to memory of 4404	2748	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 2748 wrote to memory of 4404	2748	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 2748 wrote to memory of 4404	2748	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 2748 wrote to memory of 2540	2748	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 2748 wrote to memory of 2540	2748	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 2748 wrote to memory of 2540	2748	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 5024 wrote to memory of 4780	5024	cmd.exe	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
PID 5024 wrote to memory of 4780	5024	cmd.exe	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
PID 5024 wrote to memory of 4780	5024	cmd.exe	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
PID 2748 wrote to memory of 4672	2748	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 2748 wrote to memory of 4672	2748	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 2748 wrote to memory of 4672	2748	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	reg.exe
PID 2748 wrote to memory of 4736	2748	1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
"C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Users\Admin\USMQAEkw\cwkokwAo.exe
  "C:\Users\Admin\USMQAEkw\cwkokwAo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3864
- C:\ProgramData\fGkMcgYc\pwAAgUcQ.exe
  "C:\ProgramData\fGkMcgYc\pwAAgUcQ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
    C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2748
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        8⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        10⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        12⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        14⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        16⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        18⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        20⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        22⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        24⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        25⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        26⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        28⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        29⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        30⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        32⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        33⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        34⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        35⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        36⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        37⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        38⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        39⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        40⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        41⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        42⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        43⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        44⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        45⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        46⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        47⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        48⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        49⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        50⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        51⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        52⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        53⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        54⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        55⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        56⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        57⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        58⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        59⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        60⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        61⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        62⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        63⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        64⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        65⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        66⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        67⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        68⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        69⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        70⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        71⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        72⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        73⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        74⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        75⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        76⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        77⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        78⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        79⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        81⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        83⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        84⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        85⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        86⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        87⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        88⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        89⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        90⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        91⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        92⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        93⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        94⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        96⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        97⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        98⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        99⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        100⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        101⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        102⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        103⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        104⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        105⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        106⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        107⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        108⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        109⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        110⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        111⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        112⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        113⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        114⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        115⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        116⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        117⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        118⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        119⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        120⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        122⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        123⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        124⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        125⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        126⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        128⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        129⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        130⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        131⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        132⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        133⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        134⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        135⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        136⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        138⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        140⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        141⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        142⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        143⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        144⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        145⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        146⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        147⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        148⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        149⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        150⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        151⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        152⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        153⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        154⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        155⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        156⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        157⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        158⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        159⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        160⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        161⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        163⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        164⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        165⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        166⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        167⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        168⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        169⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        170⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        171⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        172⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        173⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        174⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        175⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        177⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        178⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        179⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        180⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        182⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        183⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        184⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        185⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        186⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        187⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        188⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        189⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        190⤵
        
        PID:2232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        191⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        192⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        193⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        194⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        195⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        196⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        197⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        198⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        199⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        200⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        201⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        202⤵
        
        PID:4856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        203⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        204⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        205⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        206⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        207⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        208⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        210⤵
        
        PID:2188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        211⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        212⤵
        
        PID:928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        213⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        214⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        215⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        216⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        217⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        218⤵
        
        PID:2416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        219⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        220⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        221⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        222⤵
        
        PID:5100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        223⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        224⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        225⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        226⤵
        
        PID:1776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        227⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        228⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        229⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        230⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        231⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        232⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        233⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        234⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        235⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        236⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        237⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        238⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        239⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        240⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        241⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        242⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        243⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        244⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        245⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        246⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        247⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        248⤵
        
        PID:1588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        249⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        250⤵
        
        PID:1640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        251⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        252⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        253⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        255⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        256⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        257⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        258⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        259⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        260⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        261⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        262⤵
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        263⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        264⤵
        
        PID:2484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        265⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        266⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        267⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        268⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        269⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        270⤵
        
        PID:1008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        271⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        271⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        272⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        273⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        274⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        275⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"
        276⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
        
        C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
        277⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        276⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        276⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        274⤵
        
        PID:1884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        275⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        274⤵
        Modifies registry key
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        274⤵
        UAC bypass
        
        PID:2664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        275⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuEoEoYk.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        274⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        275⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        272⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        272⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        272⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCAYIcoM.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        272⤵
        
        PID:2636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        273⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        273⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        Modifies visibility of file extensions in Explorer
        
        PID:764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        271⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        270⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        270⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMUgMQEM.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        270⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        271⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CiwcAMIc.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        268⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        269⤵
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        
        PID:552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        267⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ooYoUQMk.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        266⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        267⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        UAC bypass
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASAcMEQQ.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        264⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NosUcwYI.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        262⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        UAC bypass
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYQocwsw.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        260⤵
        
        PID:1932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        Modifies registry key
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        Modifies registry key
        
        PID:4728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RoIwgUMc.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        258⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:2300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:4608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYoUgksA.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        256⤵
        
        PID:4816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAYYswAY.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        254⤵
        
        PID:4144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMoIowAU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        252⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:3056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEAUsAgM.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        250⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYEEgsIE.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        248⤵
        
        PID:3580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        Modifies registry key
        
        PID:1452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FowoAYoM.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        246⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        Modifies registry key
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rygsUcAg.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        244⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        Modifies registry key
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BaUAcQsc.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        242⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:3620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyAMgIEU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        240⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        Modifies registry key
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAgQscEE.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        238⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:4284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSwYEIAs.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        236⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmEYooQE.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        234⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies registry key
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vckIAIoE.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        232⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        Modifies registry key
        
        PID:2232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\leYEcYQU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        230⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:2612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOEEQwcE.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        228⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:1844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        Modifies registry key
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\myUMAksk.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        226⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies registry key
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        Modifies registry key
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEEIEUYw.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        224⤵
        
        PID:1196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYUgwIgI.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        222⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        Modifies registry key
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAosgYQk.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        220⤵
        
        PID:4424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:3600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYYoYUkA.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        218⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:5084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:3928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQcQskks.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        216⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:2756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:4432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWMcEcMw.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        214⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        Modifies registry key
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOEIwMAI.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        212⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:2520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOkkIQIw.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        210⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYQsYQEQ.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        208⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        Modifies registry key
        
        PID:4488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWYoosoM.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        206⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYwYwccc.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        204⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqAoUkwA.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        202⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEAMocIc.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        200⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:2024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeEcsEwU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        198⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScwYIIgk.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        196⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQcgwEog.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        194⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:1360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NKAgIcMg.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        192⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIoEoEoU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQQgwosA.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        188⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:1724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UoowwAog.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        186⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        Modifies registry key
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIscEAIo.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        184⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:4744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUQYcAsA.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        182⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAgEsMoI.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        180⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jIEYEYAE.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        178⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies registry key
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vsMUEIwc.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        176⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGEoMUAY.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        174⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OsEIsAAA.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        172⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:2736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CSYgYsgU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        170⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        Modifies registry key
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YycwcwUM.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        168⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:1452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwcoMAsk.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        166⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        Modifies registry key
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSQIUUQA.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        164⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmEYAgIU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        162⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        Modifies registry key
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        Modifies registry key
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOcEEIMQ.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        160⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        Modifies registry key
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmIwwMIY.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        158⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwwcAcsc.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        156⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MikQYcUE.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        154⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        Modifies registry key
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckgQcMkM.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        152⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmkccoII.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        150⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        Modifies registry key
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmAQgcwA.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        148⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZykAkAMM.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        146⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        Modifies registry key
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQYskAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        144⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqEIUQgs.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        142⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        Modifies registry key
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYwoUIwc.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        140⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMoYAUYY.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        138⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKoMcYME.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        136⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCMssMMo.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        134⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        Modifies registry key
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIkUQkUY.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        132⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaoosEMg.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        130⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWscIUEU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        128⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        Modifies registry key
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWAEMEks.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        126⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        Modifies registry key
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQooIIcQ.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        124⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\locscogw.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        122⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NyMgUoYo.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        120⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies registry key
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqockQUg.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        118⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWokEQIo.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        116⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syUIMIow.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        114⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQMMcQQU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        112⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcAUsAsE.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        110⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HIccYIkw.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        108⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PiUkIAQk.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        106⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACAMMYck.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        104⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgYAsskE.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        102⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies registry key
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwMoYIMw.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        100⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOswEsYg.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        98⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PaEgEYIs.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        96⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        Modifies registry key
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmwEYQYo.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        94⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zGcUsQIc.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        92⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pcMAgEgM.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        90⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYUwoMEk.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEgYMkEM.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        86⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUEgIgwI.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        84⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUskoAMg.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lswIYIEU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        80⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQQAoEcw.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        78⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WuwQoAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        76⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qoIkUwoA.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        74⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUEQQUAQ.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        72⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmYUAYEI.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        70⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\beIIsIYg.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        68⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGIQswII.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        66⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swQEQEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        64⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKsMYEsk.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        62⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIQUwgAI.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        60⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOAUscco.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMUggswI.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        56⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:4092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkwAQMYg.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        54⤵
        
        PID:1632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies registry key
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWMIgQso.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        52⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SagQIIMk.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        50⤵
        
        PID:4908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCksMoQk.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        48⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEUIUAgg.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        46⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAYwcIAo.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        44⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pggoIoQU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        42⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkwgAcEU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        40⤵
        
        PID:1784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:4420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jkUUEYwY.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        38⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\isAAMQIw.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        36⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEkEMkso.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        34⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies registry key
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OqEowQAw.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        32⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEQwAMEo.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        30⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAAAswcc.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        28⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaAEUsIo.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        26⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkcskIYs.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        24⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcsUIsMg.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        22⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkgcUogk.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        20⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymMwoUUU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        18⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWYYgIIU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        16⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEkYYYYU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        14⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niAIcQkY.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        12⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOwscQMs.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        10⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYEcgoMU.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        8⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3004
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:4404
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2540
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4672
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeEwwsAw.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
        6⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3296
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1260
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2928
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOsoAcQc.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:776
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1576
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2740
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3124
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKkUsoYg.bat" "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
321KB

MD5
cf79e40e227865d919994ccb94b2c44b

SHA1
9803c1de2d9b49900e03f51c0d9a797da37429b6

SHA256
2cc932ad53e2e29a8fe64aff9ee529f9643fe2dcf412f4aba793df3bcc8c1362

SHA512
1a22f623de0ee0e386640895f2108ef164792ae8e9cd057303582e6b505176bddf22c76978f52478a1e99d9284be3301b1ce8bfd8713e93a57849211e570269e

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
240KB

MD5
b54ac0a860d40e5629f1896b06aa5ebd

SHA1
ab3ba67f8f2981a15243b67ebe41a9a5e31cfe6e

SHA256
d7fe8ac6a1516d4286b48ff7d8051daa94344881fbc884d4c4435e1360b93478

SHA512
aec8e3213a7c1846f5dbf44331661dca176b10d7c2c7d533eedf6004e49bd2f5b2b0cf77dc46a084d4749badb73d21aa23a2f8f85301fe1d15c8875182d3aafd

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
640KB

MD5
943bb193aadc5dcf75fb9858972f53fa

SHA1
68c5067a11656acf408c0c94b4d42a2c56c5ad25

SHA256
d2f3fb69daa21808102f8a047635c71a66b7fc191ef1a8f0ff072c8a8728d3e5

SHA512
c3ab54f7edc076bfca153fe5572f8ad02f9f231f38c3c76f8627d11b3704a37a3f511e9e6b94febf940e59aabbd62cd2ad0c0dc7e2eede1373ea6464cb5177a5

Download Submit
C:\ProgramData\fGkMcgYc\pwAAgUcQ.exe

Filesize
188KB

MD5
e13a6637dd86ebeb3b8224feb76b7c2e

SHA1
9361e1b30721615ebec2765131ec7f6b65a07172

SHA256
3423c404dbdb0c5ce5cf60f11864bbe24bbe6d4f195c92d3a31b4335f26f420a

SHA512
9f0ce9db0df003a8d6eae594fe0cc76cda8ef912402193b06c72d6c946d799e9a7283c15e34623a0c0b954f0a2daa91a9266b4c7cbab55e2b4b511b4f18f2242

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe

Filesize
213KB

MD5
ded33b3d74b13800cd806ef9b4bb4b97

SHA1
509ed65430a869da53573e260956f0e166fee54c

SHA256
460557f6343d212dbc256cf8d3be5a35e31c00cf4f15816c0a216018b051cd87

SHA512
0e704a8f3c46d72106dd90e50eed05b91d93643ebd942b88db27be1e84f9277c2ec010889f0834908565e176b7fea1bd522a6680fd8bbd4451b4533abf56c968

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

Filesize
191KB

MD5
35044aa26b3af53abd0a308a22b74b6a

SHA1
3829ac69e14b74cad8f5228cac0df97b4106b307

SHA256
e117053931f05eee6d6c702a93d19ce49e953036098f600715423d32a35c655e

SHA512
d4250b67f2e19a36a81a4203ce831d16a5aed2764144213f9480d61e3dd2632bc2c3098e0f9bd5ee34c3e9ba4abe093c0334ff596b35cbf7c9296d76b2cd70c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png.exe

Filesize
198KB

MD5
32d9f6a0795f1377b3fcf3ee858a8add

SHA1
42033cff5f76bfae02248b549277b60479ff6e9b

SHA256
651411d0b0fd6ee5f2aaf670d637ee5d9250298aba5507032a358be3a3333814

SHA512
0c52060bb763658229288dcba50c6ef9baa5b4580636ca4081227a9ed1cf9e96040e67b26569fc9144da398bfcf254d67eef594bdf1aeef5c554a7d8cb838fe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

Filesize
182KB

MD5
17a53a6e8b6aa718947ebc74a77b52f1

SHA1
52014346a089813f2e0d780f04d43bff81366fe9

SHA256
e508834d3ef97988d5f8d1d437ab791c4fc84b0093fd62c5babff81db7f55fec

SHA512
b1f0a2ebef617a356b0084dfc16ba7a01670cfa93c0de4f3ea5c07d8e62af351e19b12e4765d85fd3738a44745ec9508777ea56212375687c93947babe573b21

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

Filesize
185KB

MD5
7cbde470ae65dd5bae3de3c905688881

SHA1
f263c8e01cc1b949581ff341ce22229d94857ac7

SHA256
03364257fd634a3a346e5a4935ae367511f2f8395db554162ddfa7ddb9daf461

SHA512
be1f8c645626aaf57c5a67ac340efa876c2e4afa003c4d05723f4d67fca6f3b95e8529c436b86ba5cfbd855c8f956cf05b12b556de1e4475d162a5b86b624286

Download Submit
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5

Filesize
2KB

MD5
4d11d81dc520c49daec13a866ca2a200

SHA1
d760cbb77963f810c0558f94db6a0c4b0d89c5f3

SHA256
6918f0f8f0461f866a849fc691fa5de86db117554fc09c6497f9df363eb483d6

SHA512
85de4910ccd7a083239a99218c5bb520865f785fdb08745b19262837c4473a4ee47b5ddf96b7f2a1bb0e06d8dd2712e699e80968fce196b3e31832b48a442bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAwG.exe

Filesize
191KB

MD5
459e9919977a46971804079b8d505075

SHA1
e3a3b943178d60d0a5e5f958a34b306ec0d17d7d

SHA256
2a674825ea61ff861af77f26144fe99eeef2d3e8b730e54d29788989a023d272

SHA512
0e37844cb532b613d59029b78c4a2c1de246e52776deb1f9a8b78e15a08f4910a20f3f7a4b25ae7fd2da3bb04737fb55889c081cc0875d97c467a919e6fc20a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkcG.exe

Filesize
565KB

MD5
1eeb52079ece2fcf9e5f36fc788b3ff5

SHA1
9ec3320b2513842d7bde65fbd9358e503a12f100

SHA256
d1b3becec25e3a4f489943791eb0a9f38c7ffdfa0f8b2cdaf0db4ab8a52c285c

SHA512
e60d126f857a54d5da971f4d727229abcf1cf04ebd31d067cdf972c7a57de99bf0e931ec9f9db3a91523c6c779adb2d866275aca22b323ea9d385759595e32a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAEW.exe

Filesize
190KB

MD5
e4a5271be2a0cf804c44e5693728fa8a

SHA1
6e8c3d11f0172347865257e28a121d0225847845

SHA256
5fbe98a5a6e5ebd52612334874fbebbde943bd9b950a8e4faef7a9c292d0813e

SHA512
e620e2d210f7353622845e12b458f9c8021aedd0d042089c87e10873e0fee91019fa42a874f535860fa9f0e6c3d47d8670f607a67e52a00ef52057a752e1bed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAQS.exe

Filesize
563KB

MD5
d84b9b978875fd6dec5c8af32bf14605

SHA1
6e7f67e90b888fd989732afb1cb0a9eb30714d80

SHA256
4ac727a09bf2b9b67bee7e1f65e0fcf4587437247dea0b6c4823f6c51df0d339

SHA512
c23ff575353dff83f08ffb87e8aa337573c312c087846eabda3b63d99a78b2ff281c945895da6196e378b45c9df1d66271a1d0f887df67f5f81876126a94207a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUkC.exe

Filesize
5.9MB

MD5
e531527214d119786f3eee976cf36306

SHA1
c0a657b0b3053cf80fd5f8f0163cd14f20edc221

SHA256
1ee542fd5467502a566281fc1cebec3c43de2a1d2a64e7512fe69ef275ef4841

SHA512
dc7cfd38cc29b524289ce6df1e4a78d45ed33d13d4166b30e1ac7dbf20b4f3b92656676955573e78550474583da1a1265ba68553e79b41395ad2a715c1cb1f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIYa.exe

Filesize
903KB

MD5
bcd4a746cd5de1d3f496c0efef55049f

SHA1
7b3173d44beba93f5bfc3fff04ef657b450b4ee6

SHA256
b135a2d052e5446d14c3ad131d57d44c8f44dbb42702450fcef383ec4a96777e

SHA512
d6034048ec7a36df851a090f5175786bc236658845593c8c549ee830a6604558a65376ac03d74e3b59113fb336f1816c99ea9f778c79b1b3aaa0933b0c824964

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYEG.exe

Filesize
183KB

MD5
57fdb51c31b33be0715a83d8d2c46283

SHA1
9762829d96cc237d992b56db0599fd7cfd3faa03

SHA256
a0ce5a3b7c4e3e3ce6385bd9a95911ec8f03b784c1ccf011bf211c036cf3b8aa

SHA512
0775fbf727808c3a87a20a4b3161dcba9df4533018f961174989b04965ca3ae3a5aa58e2b540d82aa25d1ee84955a4f7bc4480485d55a4202b16d2d05ce0845c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEoA.exe

Filesize
197KB

MD5
b66c8dc5d645436aff5378a28fbc0d97

SHA1
080e1e7ecc0833960a653efa04c7dac589e56e6b

SHA256
a37688c90be185ee40fb47e112da44fec40112a9b396a0e3f2ff7f04c5c95fa4

SHA512
c169b7e56fdf24d40b1cce156fdc6217f24fbbc4fc54bb22161c9fbb390203d451a68a882f70f88cbb56efbbf124c74935f783acbe215c225be6a6405b4a8c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gcgu.exe

Filesize
208KB

MD5
e5c5e20a9a7a148752fb745e0152bec5

SHA1
c3783b5916b52b0e972e5337a37615c6d25db52c

SHA256
9f16e7dec4387258a1709fe850307c9c2c11bb80b49d785e41f7d56cf5ec8ad1

SHA512
8dc4865e71f7234da9c733f8ee8060ce30834664e4f6805e05b329a50064d30bd91edba15642e4b16f9abdc2d6ed361cc2ead39bb36e75f9eaa812740fc3557a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GooI.exe

Filesize
1.3MB

MD5
eb86af038cd53143b25bebbe6ea01ef9

SHA1
589a2620234f1b28701188a0a615780e95680a5c

SHA256
25f7782c77faf3d9f8f07d004faf07f145810b987b75f44d1ecc265c725063a6

SHA512
7cb4377835c0b01db854b311ca401e87b82fe29d97a7e2e2c5b62c772c9439935eae2096ab1aeb256d78c8ddccf6cfb45303baaa9b9f1c18c13acb58d39339c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwEU.exe

Filesize
218KB

MD5
35b0c565293a894dc8619e3ff067c57d

SHA1
1c5a174abd2d1ece11e2074ea7f42a30bab66f97

SHA256
23f86615db1b7c91e646b83a65c74260673cffce66f4ce79c1abd1fde52dabad

SHA512
028d8f1dd8d1995dae7c1f611123ccfc79f1c644da17c767fd06063ee4ad550affe3bb2d475760aa48e4d39ca3536acf1cfbb1fc700d44a3272b2af7287358d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAoC.exe

Filesize
189KB

MD5
7f0354b1c4f2bb5a4168d4d5067a5628

SHA1
ec3634325b7ad010a9cc96a5056adf7ad657344d

SHA256
73ee22986e447f591938b91b4c9dabdf6cbd962ffa0ab956b90c6e923f94134f

SHA512
07987f91bdfa8ef7c5e3a3af80b9604b9428c56cd06d520b1fc561448ab35724328a48e77cb0769bb823a36de7493267de9ac401fc40eb1bfa35632045f2f58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAsY.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQsK.exe

Filesize
215KB

MD5
e02ff11cb64a584baad14b11916ac48d

SHA1
7c73ec2f293e3325f778101a16b56b7a0a9cfd61

SHA256
fd38cff3c08d4bddb676f3da2995630066fa05accda225beb18bbca5c7adaec0

SHA512
1ca9dd51dbebf7749df694ce729ddf7cdbddc18204b78e3fe46404fd65c8c6b70e66648c9dfbdfd92813af48dee05b922202d55e4a6811231356681157533264

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwIW.exe

Filesize
199KB

MD5
9b3706deec33dd33c9d7aaa8d57bf2a7

SHA1
62a13dcaba095e53ebf2aa583ae1bf8796e7fcbb

SHA256
56fa1cbb0832ab3e57c863021db9986efa9b93ac089e942a6348801e77766cd1

SHA512
c2e08785304907c0aea549ebee38439da4dceb769c701eb36808a7638893a7d0cdc087daa6ecf9c2ef03c8a221a909a6225b4781c9280c4663a3488e149675da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwcO.exe

Filesize
193KB

MD5
a59e5d1cf21698c24047361ed70cb2fd

SHA1
ca283eb3bd7332d3bf8f7ddf4a9a41b300adde61

SHA256
520b5d461656550e001235a1a35a2541cf9af6911eadb7cd1d418c43d78a5da8

SHA512
af4bb894e4d7867b8e70f90a1d4ec41ea9e4079ed1263a97ca073f951bfb797ede7b898a6b4477f2d8f36689b5366a2200070093dacf31d0356a65bff5292669

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEgi.exe

Filesize
232KB

MD5
a1bb97cf9b7a472e30d11e99839f7ccf

SHA1
615843423d3df41fde0653630952224aa57eb7ca

SHA256
391875eacbbed924d4eeaec418a01417041ca78eae4b5739e59cf2a77feea516

SHA512
77e4ceec46f5e8adeaa0fa22d08d00b0f21091ed83858ab6366887548aba12e01f673d3e46de6c41b842b4b9c71432a23af6557e6471a1896e23ca99cea4c8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYos.exe

Filesize
188KB

MD5
7ef7f145e4fbaf14c203163fd257c0be

SHA1
898780ffc3cddd642b85ffef31cd0237bc7a0116

SHA256
b2fb2f340cc515bad4c9c1a5bb4acc473761cae2a5525415854584452f999256

SHA512
efa2d268e50ce788896406f6e4ebda097a0b7c2e4f5bd9d88f54ac5ca5419e60b8d88610d2850643bc2d8bb3abec1338339cad3107805033a58b2e91ddb64c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkQm.exe

Filesize
198KB

MD5
9f82118fbafdbfd90492a8a314dd6d23

SHA1
922700d9c740eb3555795ef757a38e3621c9035d

SHA256
4a205f143e20f528674dc8ed78c9c67a46291544dafc1037ac29dc6746c21f3c

SHA512
7c60a7ef197e5a2d3dbc450c77cf4ea5c61c7bb077580b151071d3244b7f8e0888396fa8b54668273ed9f1ae4673931ec592b29e323d0ac558c5f207dc77788c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAQM.exe

Filesize
196KB

MD5
8317e57f1075a0b2fc5f9ad7181749eb

SHA1
2c67a7a01e93db7f2b118c796cea62cda6e65abc

SHA256
3b9fc60b11d6ca1805793d8151c40766849a5dab7bae8096d20c09267493bc66

SHA512
2febedbe160f6dd7305a03ef041dbd8a08168195245e724875561b97146301a1983e3fe6c4914e5487a1c7171d75933b0d8c31a1592761e7a769aa0888a73068

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIAm.exe

Filesize
189KB

MD5
87d75b84d03d81a7cf47dbc501a9fdbf

SHA1
78bb63ccbcfdad28746582033aab4719448aec76

SHA256
48df5cb00f6800e0c195af94b002019a0943cb4d2f847e9320f632a91c4834c1

SHA512
f88e006c1edee5e22cad9e7cdce00af1f63c073bdf9c6c8848ec7d12cd86c33d98945cd58162e497aeedb9a398711f7ab398efba6022f4dd2fcafb3512c1844e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQAy.exe

Filesize
646KB

MD5
1e163072c065fe42f66c5b316169c043

SHA1
834e9b5c6bb1d606692d73de1688cab206555312

SHA256
57fc94277370cf1f31eeb044d700b5b48ae4fcb5ae1c3971fc474b8a07b44525

SHA512
a3c1b0fc5fe70d60a6d8bf0b53a24bd0f4ca28b235371be521fb4d419e4174e01fc848790b1511a2204c5e6808526ee57d13f7e5fde4da07cd545b6fe84d6a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYws.exe

Filesize
204KB

MD5
db5e936970805324ecf077bbe8499d5f

SHA1
5077f5d2b4963843e18075b1e329e798147227c1

SHA256
02556efb04a9b344796183bb4c20b311c8957dc03209e8f34f64683e90c748a7

SHA512
8f9b75ed28b2f6018cbafd07cc99ce3e38479948641da678f73ecb8496a2002895de5968da07e74ca6ebc2a4746f73c3307bebd91fdf8479bdae71f6705b44e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\McMU.exe

Filesize
650KB

MD5
3011c04641584b41fdcb0f417cda9d06

SHA1
a95fb041b6a959e6e9f93b6a1768f79d54e65312

SHA256
63ebb7ea1ed61830bcc23edabb7797e4cf097cc2e38b590316f1da121ddd19e7

SHA512
d0f976907e6c6cc60d6346f0de35763fa40639b1670df60261875c08a45f2f28700586294ea8e1c045a131e32e475c47ae3d2c4fef7a3ac5f2cf0c0dde5f0a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsQI.exe

Filesize
214KB

MD5
8bdd8112255fe1554194ac39f55b2317

SHA1
eda310f47c3a6382c042af02750eb2ded59242eb

SHA256
1ef587a42a34f8b136de94a6001c9145ae5589b7a00b19b3852097b14ba8a2f3

SHA512
456bf70a17da94e296d7c73be098ffcf9523b208eb1777729b6cda34d7feec8ae97f3dde4dd35a8227f337655c4c333037d3f40a1223a6261e354dbf3a857165

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ogcq.exe

Filesize
495KB

MD5
e433d26e3c0c1e4584073eaacbef42b1

SHA1
423f30c64c1d8051ab5b5db552d89744537bdf7f

SHA256
178a97bba321a481f5646b75167fd51d53b07576a3f3a108093b190c13f620ff

SHA512
d1de1f1e68d396733bb860c69b27823f50b5999373c915c1bb4d2a3fc1d2aa6693c9d47f92e4855a632dd17fa78042a80a972362a166aed971fd6165f288c0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\QKkUsoYg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkIE.exe

Filesize
420KB

MD5
3aee4e46b77aa0702c2f22c6875bde77

SHA1
e4e80ced8ebee47290ce4069036c3df5a82800b3

SHA256
810335ce0472437b319197c7dea4965ceddc1624f98ca211b99ee50c3ea3e5ec

SHA512
cc1d02fd5ed6330b2fe702480a61bd17b9ebbbb4eeb4ba06cde10c8ea8fde75780cb25816e515185839c5a8147c32f1329e863f339b154425bc5f2da5e6229cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\QocQ.exe

Filesize
184KB

MD5
ea8028b059b390e920e6890d54cfcc5d

SHA1
baa0bcce7a9ca0aba22f6508972b11bffa0e0083

SHA256
235f5103dbc4c74ec1988d5b66a4938cb5a125a0f3fae72ac2234bd2eaaa6773

SHA512
97372f90bdc280e8cd19ebc0d25078b5219406fe821965b02fec2e3ad5f335066a595ae7a76bfbf79dee0ee4d36c8a42b655d739b96d509c3199dfd6d9c870a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMIw.exe

Filesize
187KB

MD5
b631b1510cbc0024187743598a53e2dd

SHA1
e3ac17679f8bd7d87a4850e83068b9e5870b5a31

SHA256
28880505e21d8eeac53469e658cdad11b777f8d1f75890f3d93810842c0d3680

SHA512
8f23a85b92d051a6ff01ebd3d85f7cab358041c0d3ba37ad825b196c65a359a8665e5851dbba52797440fd9fb12183b61381c0743f9bf8640457e2282734903b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMQi.exe

Filesize
784KB

MD5
493b9a7e756dfdd9ee48317f581fe1ec

SHA1
7495faf19474abd5d76a76fac156448ee6d8ac46

SHA256
e2ec458373b56cf2b0f0898cf0ce79d6948d4de235672a48e6db2aac4f4f1a86

SHA512
1b3a2ec69fc5168a184e5c6ef2191faed4dbd2f5dc3c47349075024d4d7e9d22db721cff1b88b515d39e9d0fb132790e11d058f21c8855e8675003ded2b5b5fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQgw.exe

Filesize
1.1MB

MD5
3a63398b0123ae7d4bb4a7089ad24663

SHA1
26e7eda4cb03dd8068ed5a7b7ad5dde1334ca165

SHA256
1298a883eb1b14360e93127246e83dcad3003ceff29d4c3141ef63b8f3c61ea9

SHA512
1db636d75a6b70a85e4e55b59483b03e25e0d5352d3a068283b867065e8514e290cd33fe06654c2b11b8dacffe457945700871921db6eb446852fb7e4cad14fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQkM.exe

Filesize
188KB

MD5
b46030d7a6815661abfead250db9925d

SHA1
f931519c559d060112597c3c82cf4f63e3a3084a

SHA256
ae1057c6442222d422fafc0e7ef160a3bcd8eca6894904f583d7ba90bab02c80

SHA512
64a0021a2c7d240edd1f577006c89a2a57885cb39e34ce8ba66b133e0b5ad68d2cbcb8993007b81e79f121a1cce9ff143d92e39b21a217795865c27686d21168

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwMw.exe

Filesize
204KB

MD5
f5c499409392941fcb7b0fbfb375c486

SHA1
1abc27d69cf657c8910541d24bdef8b5256dbfd4

SHA256
b4a3a40cd8750d4d9fade272c809cb39a5d886d89f8415b958d8b295aeb1b498

SHA512
709ac3f01448fa6c4cfa5f436bc052614fb581bcaf44b13e4ee7ac94e21be61cecfee6f3ad70ca7e3da78d35abdcbf7464dfc95e13cd5c0dfbcb679c9c234d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAcm.exe

Filesize
492KB

MD5
1f1efdd9cfdb8c073c092d696b50b0bb

SHA1
d35d029c0b0ffc62ba4c76d009f784c4d4f3e8a5

SHA256
1e90ab3aaae8dd00474fcc4d730f5390c013fc76faa6391abc37d4fd32705846

SHA512
0425086986abff8f3d1ec96c4f332cd9065ffbb72f65c61ac3f1b7537adc1d76d49c8056087dc3f3faff75908b01b9a385ff25ed88bd978f84da80a0abfbf7b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAoc.exe

Filesize
187KB

MD5
2e8ae846eeab551e0a8d1fa557a91c4c

SHA1
e0746649673a08831cb4e9204eddfe00c7e455de

SHA256
be6b075c02f8472cb587a81748fd832902c11dd3878084615dfe072e7a59ec47

SHA512
fff32165ab3c65554adb14b0f0cbe976e20ef6a7dbce2cb1bb6dcaf8b79cf60176d019dfb773dfe9c53e509ac4cdbb208c57846bc69111d321865ec16d5157bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIYi.exe

Filesize
778KB

MD5
1601f545198c643f576013c4b068c5c4

SHA1
c582dfd4a9f7a395a6e57924ada44ddfd27b9c09

SHA256
113ac53215559b3ff49fde136f64d9d196a2626d9a2baae5d839daf1e5e42a11

SHA512
32897c39f90d92aee2eee537e27a30628d7f4fc8778383a7b8e336f505001c616e3ce6e01004e6c0239f4b4159fa87013ffe94bc233d8f3dd9607bcc78c23057

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQQK.exe

Filesize
201KB

MD5
b939f9352df2094918b30e15675e258a

SHA1
766ef6151a14653c8f2e96b0cb3302e9e6a0ad8e

SHA256
de843426103d4ed1617c4c3879c771eba353b7ba38901725afccde51c4d9e423

SHA512
f946850d50ba0e45a8ca94dd31ebd84f925e5d8bd3d6841a47227190cc55044c5e7c22866f6abd1d612db4d02cb1780b5bedba61f225ba19b216246b0656d472

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkYy.exe

Filesize
995KB

MD5
15aea51771532e1c8498051892805b81

SHA1
2048f279dd42bf97f639f58d27c6e7c0c650f02e

SHA256
0fc3a17d98fda86bb3e57f77c9ccd3ec64bcbaa93f9a3c455bee19635c43bf2c

SHA512
430697aa5e3523df8c4514692fcf5e99cb047e2bf9862bdad44415c54812914c47672bea4eb490f76ee6935381712858411ca8e674028d1b47ce5e3c81163015

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ukoi.exe

Filesize
217KB

MD5
54a7beef48b8b2a385fd488c3e671bb2

SHA1
bee26fbc8eae530b2f401c3dd60586f016ddd992

SHA256
786a28dd7727c4e452d791f804d7c23f336d48195179d00448f779c3f1872a4e

SHA512
6e19014601381f706abd592b8170d7ce90cb9d8a4416b504f4b8c63106fada223c6997500f70f5b8212ec489781a3938a1068dcd566e051554fe1eb592039b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwcU.exe

Filesize
195KB

MD5
52b3138a70300d7b0c532a3887106483

SHA1
0010b150545dd2c614179031a377fea1cf5b2a62

SHA256
6362ff33e50c2ea7533f21ccd0d93d1e85f74df976dcbcfd4c59a735f2359450

SHA512
6967b6c978e69d9d5b137b54a645139fecee2b101c005e239385d64eed6aca84b31140923883a0e8de71203fd0f44d10f2da16265e05eae8519f1bd941bc723c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcAs.exe

Filesize
194KB

MD5
9a895055b4af624e05046cafa2434c47

SHA1
e687fa6e745d48d294f0efba62ced512b1e93609

SHA256
48420cf236fcf1bf28743b5700c26c726ea2c7640972bfa7c614d2f3dc7f335c

SHA512
3fdfb8de7c02ad2892ae79179ea816ee4d0d25830c1f281700d0143ec479b5a4152e91bda35e05dcd246fb4c79231900f449260d20fa80eaf699d0e62079d28f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wcgk.exe

Filesize
199KB

MD5
7fc69a6bfd520bc888e541a644924e00

SHA1
b64f82289b8ef3dd8fdf6553f8a504bde4a18ed9

SHA256
26bd3954f7b5ba99bebddcf966c2a5842c1c8c498e2733e781eef663b864ddbd

SHA512
004832abcf74ea4f7350578369802b43df60b92f41961fcc151d101fdded3498bd44808865b62b5484e862939ab099593cd05da9b31c649f7e772f50527049da

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkYE.exe

Filesize
202KB

MD5
b25b82e1f3f5cb9778badb9b05ce5b87

SHA1
71e0cd5f14ba24078074e1ee90d8996bceee92d0

SHA256
a9abde82108504a680077c67134f8ee38e29be5c9710c31c15b2a83ecdf31f21

SHA512
8131c51375a4ab488e1972e1694eedabc00e26c000da09a351010ac88588ecc10282ff50d993481ce4549fb949685f22d6faab80dc09fbf05f99f8bf3a21b36f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkoM.exe

Filesize
207KB

MD5
35b112763bc06ddf93f519df76b7ad7f

SHA1
604a0f06925aa32755b9e4bc8f76e9e0de43d65b

SHA256
b8baf1e1266d011f21c8a6ecb53f8185b1e22cd4631e6b22f85dd90a37d8e9a7

SHA512
b44647906d32f3aa477a6e73a3185e7a6ab0b6f5513e7d2dc417740822bc5fb5f8523a4173fbc914399422d6ddbf4fcdc1659a92767c3d8696e481c825a4d002

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwYO.exe

Filesize
227KB

MD5
fa157cecbcc232fdf853e09af654a78e

SHA1
fbdcf222dd7a1314fe0fa471399596a88ed75854

SHA256
91a70a103b1dc62b9d715a9bd8cd77b240db1589c906062f948a2b34a1789a0a

SHA512
a265a4ae5a5ff1afb4a9dc7c50213dcb80f80febf94d46902e50cdb9ad20b850aff08e6c0cafcfc9b9c43e35e5e6fea2b7b1a5e25a470cec5a6e1a670164700f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEcC.exe

Filesize
202KB

MD5
5a8158ba4f90745d17df9c54441e27d0

SHA1
8840e42c7c72dd53af8a68b2d2551ed89e90b335

SHA256
d72acb8ebea5a234794cf5cca7a41c3c4aaf911fbba1b1bf53c6201200251378

SHA512
58aa7bde5960b563a9c7ce43713531855d5d96c656bb92f249068cf38342dd62f1201558d4bc0b4aed7ef23ae4bcab477344987c8bda6da00c8d88b4d9d700c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUkA.exe

Filesize
737KB

MD5
95385ba64c82993a6d214252a3727b6e

SHA1
48082ec08d237ebee6122e9ab84575cced25cda8

SHA256
14373a86066cf0672151b81342a7a16d11ec91ecd8ca6b23350c4fb0262041b0

SHA512
8589058ba23764383a838d4885348236d0b00fc23002a97b252e20393462be26cb4038225d7a592b287dcb699062d2484691c6dd79a3fcfd657b134411e51820

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgsY.exe

Filesize
199KB

MD5
7700ead84b82296224b5be2f0f69c529

SHA1
e679c231664d14ae18b5d3e2600af84b9500576d

SHA256
c3d917ab4cfcd8d2e380c62c168e2a6e43e4a856b0d0ff262377c1d60f9ca25a

SHA512
f5a42ee9c1e327d3d3363d9a0e2ddab55d5579b1fad8e9e666945005d4387f1afb1ebe45259be1bfc1559f529fb70ac516b11b09e8fb757a3a779cee8b7ebec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ykgo.exe

Filesize
1.8MB

MD5
5c829345fae0d242fcbf888afa510126

SHA1
869120e37149762cc3ccfdaf7b8f738fc3e56e3e

SHA256
0acd2e35ebffa0be006f4014d5db1cf86fe2460fd4cb8c5d301f457a33f93074

SHA512
0fe42ee3eb18a5175d2594590120c2d427f4ecddd7bc368ea6e3345524cf63cd9f3c7429ba0a44b8a1c852c47b7348732dd435d75ec626178d431fbde495d88b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwEY.exe

Filesize
189KB

MD5
c2033d0ddcd1f051d4cae9a05add7334

SHA1
196f50373cc8071e4456989764253b70d9c9df3b

SHA256
857960383c84b4a38325659474b04541eb5730933493c29bebfddb980b3922d6

SHA512
5bdb478ebc1d998f9513c69867693b233852ca0bd41be5798b8e2fcb00b720bab2944ae05f32f125408c196d75cb83ac5106a3fbd551796b27ffadc9ac3dcadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEIg.exe

Filesize
197KB

MD5
3e3ea413462a66b619bec1b2eb281aca

SHA1
43d91d445ed0792f32aea092cdf5225b7d52b2b1

SHA256
d3ad536a53d7a9ff73aad697932bafd3066bea0c8932f8a0280df12ce107a1eb

SHA512
ecb4f95a2e50495d3e4f9589174ed39df5e1e09b53df8210d7883bb048d0c6b89d9c0900f88880628e069484ca839d94bd54b2ebb1f101cd2df041b7b60e2dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIAQ.exe

Filesize
648KB

MD5
43e44d9eae7128cc3af23582643f5cd1

SHA1
3947b2a14ca177e51e48a139ed32c4e1e3b3ecc6

SHA256
8113d85582fbf84a090f328bd394608d55ea2c77a5b37cb536a1a89bfeee746a

SHA512
efa2456364c52c47d88f9288e8121c63a8d5221853142094c16474105e87a5ed0e24af5e3eab527d02e03ebe4f7bd6b8e42e540cf76e5d8e3e7e55552b3b86aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQUq.exe

Filesize
201KB

MD5
3ff8f03673e20614eefc6547d3c43754

SHA1
b54ee1bcb11a8da30997c15843eeb7cc005b5a5b

SHA256
39b2f72d077f1daa8ef7776a1244e24dda31cc2a46398d5d0622986f5884605c

SHA512
4e9b18621a8334ac4f216335c835818acb316334eb3509deeba127c8a2ce895a2aefada82cec856c37713691d91678ce7beec89502b4b59e9ad924734ca35a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\agoY.exe

Filesize
328KB

MD5
08417b72f49c803c0b230cc16d7bac9d

SHA1
79d8e80462f9874b3debb4ad5e91fc9ace3e2ac8

SHA256
731b537ab5fed7d23ca9d40f780f4529574daf0844e51755a56049ef6a628e91

SHA512
d74bdc8435cb620c332ef5d36cbba69fd7c262859053e730732e7224472f825b47ba60c2751d8ba36bb87ce3f882bb0fac54689bb32ccb531a55799edcc46862

Download Submit
C:\Users\Admin\AppData\Local\Temp\awEO.exe

Filesize
196KB

MD5
0e1a8ef645551ae4fae1a9478fe5f3de

SHA1
a3b09d14fcd81dcafec431ddd003e53b3898616c

SHA256
1f8c6837b735308dee91f873e387ac32f585c2054e84a64318fe9664c5b81bec

SHA512
7a3f0aeb69195f2cb8f3a5c958489697f02c74c57165dc397dab5a3e32e7f6f55f870c6e93543958afab7ef47865108b810c91d340e46a515ed61f3b6c09c27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQAO.exe

Filesize
5.9MB

MD5
222affe2bd346016b78f9fc4897d2b5b

SHA1
ef02cb9266e902fa0bd727812bd010bd7cde0922

SHA256
b83a43cf3caa5c534736e11c486ad9c794f3bec21a560de8a6dfd198692721ca

SHA512
0676ef10da888cd33d7d1820b80f940f8b4ae001e50416a6e30a726a425154522834568cfb119b01794b53b6ca9f09043addf203d074370fe3e0b6470e3a72c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEMu.exe

Filesize
805KB

MD5
0154ca978931286a39d88e6efcd3cd1d

SHA1
2502c8cc491f9e93fee713829ff4bf5ee4195a92

SHA256
e5691f6870485486085807cb5b88f548c657561095af6aee82aacf9c710faeb3

SHA512
b90790135203af0eff937660a60711c75ffd4ff70f4d39971537cfa354d19c3db7ef7475f260e502e44df3d85dfc386d30eea1e538f458932c706e2796e4fafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEcA.exe

Filesize
195KB

MD5
899e864c708a271b8dd34e8e008f07ec

SHA1
0f0a53cdd048bc23eba4ebdf88f8062b24cd92b3

SHA256
9503f6c141712b0f6a9e416872c34ac843038754862139eff8bea0ea89e635c3

SHA512
69164ee13523179eca17f39b33153ae2dea119df94ebd57be969082f089af1a9d20f02a721a9453df5d2b2c7999ee729fdb15131b5f4aba83202015a669e73d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQUO.exe

Filesize
546KB

MD5
43bb1932623c8b61d62647ccbebb165e

SHA1
09a98dffafe8370878017c8282f5e7a8473313e8

SHA256
d72b12df0d8c9fac41d9803c61ce97617e7b516dc8ff7af0cd860fbcb645cf25

SHA512
782dbe49bbbc94e276ba1a615d6ab293b8ae96d8f80913bc00c49e81dbd11b5e8f1db2552e7d097a00864bce8420ee4da094809472c37d4ac86ac9bf1a4deb62

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAse.exe

Filesize
209KB

MD5
dcd3653a3b82a4b82262fc34ab461bee

SHA1
1a2096afff5fb0b066e5b2a4beb91305138a3016

SHA256
3a964c5f3dd9e33a3f16861cdb4603c7817b3834a56fd18865f6286880a7c309

SHA512
2287188101d91abc3cf7c991757615030d9738d546f8cbed19f6d19b303b0ddb11c1bb4f74285c6efe6b8ab0a1a1ebb35d19b895929bea61a7e94a0bbc7000cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMEO.exe

Filesize
197KB

MD5
dbafac0d42cda77c9f071abbbe313e94

SHA1
797a2f1c43dc52ec2c616611308093619cb8ce9e

SHA256
e89dfd8a6979ee9363daf08c70e85ba1b88c728a13f25c9b053480a6e71888b2

SHA512
ae5521d37e93a076e0c1099efb142bcbbd63ec57daa9779651c64f8cc731c97e59193ec31a173f8ea43e89cbc7b94e6d531037d6ef2778761b08a8c68dbcf3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUse.exe

Filesize
210KB

MD5
da42439950bb60ce27b7a75e77afe178

SHA1
054c4390b4f042071e05a35b074ba293cb05ad6c

SHA256
0c20f2351c127df9e80275d1a6c2737cd9009486a6c087ce6b58fa1553a7f324

SHA512
de71eca3e043d58374fc533abfee1e5981f6603c6e198e31984f3c33dce09d21381735c64e5c5c841da6224a81e8451baf58cc51f792c2b0850bd0774bd11da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwwO.exe

Filesize
195KB

MD5
56d9cadcb7b34fe69e392f89df4c3683

SHA1
ccea9c64367e833d812c8d145e2f1a73e251dbc4

SHA256
ed26c171504e3f1aa557f6e13f1dae2f1757d2b3f25ed1f7a3aedb85ce833a58

SHA512
b8465ceded68d944d404f819828a38073872a3bfe6d7d08d1a77359858dcfb707ed39625cccd8dbbafe4d487a8a53cbcbefaa206c5ab0ec30dba9ed9b06a5d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIoQ.exe

Filesize
324KB

MD5
4659bd7726b2c9997c6777f27e83c659

SHA1
2a9612c062dc8ff1118b549357aab65df98d0b1b

SHA256
202a993db43c9265fadbfc1e58893cb22af76f80fc950f360475a83fef47a0dd

SHA512
7f39c2f02ccf9f7ec7a68a7cd5ca7546ebb7885aaef097ecb1800103137408bc7a350ecdb45d56cad9ebf536563c3fa44ca689298499fc15af8885370826a2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\icsE.exe

Filesize
264KB

MD5
02816e50227f115dce9bbb2c2d5c0872

SHA1
97ee4e3693e00507cd0a5493a0a3de4a474165e2

SHA256
cb9579bd9f36f5ef9c1db734c8513283af53592f96e7f8f297f94aff79d8ba3f

SHA512
8a24701e4f91a6c7769adf244c5e7557c0131b1e6542af7b727ba719946d7d89e908b83e430f5dfa17e24bef80dcac744f5c455943b42a1492fecb10e55c48e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\igYA.exe

Filesize
218KB

MD5
3cf8d084ce399952953338c1af843a4c

SHA1
d287294fca24d09c80f5acd2f13a35108aea7ba6

SHA256
4fbcb2b6b506c8f8ff9d0c049c926b803b4f0f3b8529c6cf8b7adcecb4305dd4

SHA512
89d6e31e0708be81ab3cad2e43a6997e8533b1488ae7e65af826ac3549401c1880927f1504b7e057618ba0bbf82f8e92bdd0191735d679711bd62b6e752005b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikAe.exe

Filesize
801KB

MD5
5cb182043ff8c2fec3dc0736a51d7357

SHA1
686f32acf4b1ae62a3a9cae2d9d228105739d48d

SHA256
664108e266a9fcb8c1a834cbe14081518c528671f5d48516ef0f5d9d294a93b9

SHA512
c0da5b2a6e51195b3eb3daee277be87899171b1c9edfcc2376ece1bb71b7b8cffee10bc961853a176e8ebad518111d0560cdff35bfe64d30f016274db8cc1c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwgG.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwog.exe

Filesize
958KB

MD5
3a4659699febac0f40a0d838735a080b

SHA1
b072f01fa8bd5554df5c6d9f1c94abf9ef6a3629

SHA256
861a7c15577025ef86b9ef06c1d60a9b88b61eecc19f3d6617b25b8efe8a30e6

SHA512
8a9ae47f2ba9c0f80880831bde5163967e46c04a9cf81bb581c199a8de4830e7960e158140d30f1c13eb4b665b1048f4050216cfdff857446c0adbd49a79472e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAEE.exe

Filesize
188KB

MD5
d2f451c9251832118ee6674c9f5de575

SHA1
6f05680900d62b19614930c5509bb929bcc4dd7a

SHA256
d6d28cc780540da56e56a87b4cd3bde88f7fe05bcc9ce34d6685392dc3d8721b

SHA512
90cb1998db3cf3b3601e47b9854a92c1106334a961b988adcb1f15387d77a7faef7d82fd47f6a4b446a1101b97e4805466903954b5adf9374bc1742d40ed4699

Download Submit
C:\Users\Admin\AppData\Local\Temp\kocY.exe

Filesize
220KB

MD5
8f3932a0b249c704a292d2219adb1cf3

SHA1
d3e5adcae4ab5a7773432fe460d6a69bfc635d79

SHA256
3a2853167a7b017303f1a7493368c72a26f43dbb0f9bb9a7d5d2e9dd8ea488b4

SHA512
87470f2b998658bb1d0900c133e286a86e42eb4ef200ce5b5fff3d4a856848f70107e91091c217b0719eece110185eaf75cf40ad5856acce4cb4dcccecb373a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMAK.exe

Filesize
1.0MB

MD5
779f6f9197b190541aad95997661edfa

SHA1
9adb5599a90743b87621c1d668c579770ca687f4

SHA256
881c88f1938b0699fa3df10924c51d41bde9dd6fdabb4821a3f42d5288c0833a

SHA512
11f7f433b14f5bdb2e8bbe54edc30bc253dea69fbf441f72c67be241adc3f3ccaae0ac52e23534ca71c37ea9a6c6223a323fe3f5594565fe42ef72d649f3b5a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUAg.exe

Filesize
776KB

MD5
4035421f047bfbe4db2fffcce310dccb

SHA1
fa7c18178a575f889b683da7c2bd8adf101559e0

SHA256
ffee5f891f6faf2213d25dacbd754d8b173d0fabeff3c7c380c4086c25af8eba

SHA512
65efad7be13e64e2e014213462d97cbfa9aaf173489b6e821d85fd749b6ee600eb30eb893f2f3e97107e5483941f46a936b050ffeda47f269f809b171c8a2fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUgC.exe

Filesize
222KB

MD5
3dca044ed12fcf0fa3f78ba46c9d8c91

SHA1
ce9f82a35b8962d2f76c37c570da77035e7943c5

SHA256
2e052668aa3591af520340f1813b47d2db73ddf73279b74172c512187d6c3afa

SHA512
c5ee1016ccf9221649d6f92bfd751e26a733109d6a9107f5176357ce671d4049c8af136e924a13c9c6eb48566df6ad462e563e916465816444f87b264b43879e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYkS.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgUU.exe

Filesize
186KB

MD5
e4e17226e2657de6dd9d83c6871eeb40

SHA1
85efbdbc12ce1adb20ca63522b6a8d05de7ea6e7

SHA256
7e1504e3dd56fe1e9fa7b2cc78192be18df1ce81ab4fbbe2d272a16fc7f186ac

SHA512
645b8656f79818ae73d3f46c25927096afd0208eb26462b545c0dae8f4ada66cb147116a0e411954519fee81f5dfb0b7cc14bf4571db59dbd8787690668da9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIkM.exe

Filesize
185KB

MD5
7557d09548261eb3e09abbd5ae86d862

SHA1
b679c2144d7f19a4614e7d994ce3d5b813ea5e1a

SHA256
1f1618b31ec6b72924bf6f027fdf31a71632ee98b7ac2cb8a8dcd5045a83af9f

SHA512
6baf15b735e32bcbca0338b1726364ab24183708dbb8a52747751f4792bc6bf87ee437d22d35098ceae1b2a4ff53932e9eea2972c004570f33324006e10c421b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocMo.exe

Filesize
201KB

MD5
ba9d88078ed9847413bf1fef877e4b5e

SHA1
0802acee46c2fc04cb111dd3bd8b9a6443b0e444

SHA256
43b7f8f0ad432db5dc69d31eb0146f8ccec40dbed0584dcfeff6e776afddc1e5

SHA512
ea02a7d135ecac66173a076752ff5178a13f90c3f06e81ffc6ce5439a9d970f94d7ab855d8cfbfda9ebe9d592f0eb5904397ebd2f2e89d648134c3a39357e3bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogsa.exe

Filesize
807KB

MD5
cb774c143c03668cbf6c94b9bc34e1e5

SHA1
7d5542882af5c90708655c9c7713b8188f137f65

SHA256
59948a61ad73ba822ee612f18fb9519318fb388078b0f5ebf45283c65c1196c1

SHA512
c4517207a734ca4cdf7f54cd70507f9f9333b6f9bd19e370d0413b85f5d9bee16d2ff7d2028610d9455d804e1bf968e97aed710798f1b67f4e122562e1de6a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\okEu.exe

Filesize
191KB

MD5
a1fc6f183b199e4ac72181fd96986f11

SHA1
0d6a5150fd85456cc08226815fb347f142ce7e98

SHA256
c6260adc8934dcf3c775aa3b31b354aaa3ef155d8098e305ae6caaf4c94816a1

SHA512
4404612ee245a7b58f19dc025e9e5694c802ddeadb0846f34e30c846bf4050ad923ce7505ef58f02ab3ac15baec8d95ed481879663baa900d89571737b03f6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEgC.exe

Filesize
202KB

MD5
86fa450fc4f793c949fdad8a4993361a

SHA1
484f4be3a3d340918845484d0118d9e2eb7c11e7

SHA256
2de87e7d47d8160e38547df4e0d4db687535a2e57f31bd28ab11abae6e0c4730

SHA512
61f2ff426e63c30bb85355dc722eed3a1d130bb4bc93d84a15614d54ab12761a0bd9c333a5b746a3118b4b0c5c5c49ef6b185138dc6cf19f31327d2c47e9cc30

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMsO.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUoI.exe

Filesize
196KB

MD5
38725f541a9f9b4fb1d6b381479047ce

SHA1
30a0da174389c0d8dfd26e68a094f02964ee2193

SHA256
63a13e4bd4a62fa7ee34131ed83f68bacf8fe7a546565fce1676e05160544f79

SHA512
211a7482654d0a720ede8fa255d19e62500a98066b7e4006008c446cbf20647d40d15c9105b77e9572cc0ebcf484e0cca8fa343aafae0bc15af29649c09093f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYQU.exe

Filesize
326KB

MD5
c792b50b31fc0b5a26cd72cc919abd9d

SHA1
8951be1f6f0e22f35314905b833ca615367605bf

SHA256
2aa24b9a82ea856b9c03a54ccfa441ad3b3623827eeac1ce388e5bd0caf35e6d

SHA512
dc531b504f5b9adde9263f0c681d69d936d0f9f3ea8d83963551c655a0ea4c882d85d3011fda607f3624c0cfae30ec943ec2caba4e1c732f3f4d32fa642284d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcca.exe

Filesize
815KB

MD5
b460798c4fe41dbc5a26f4ddf64653ef

SHA1
8096eb10eec88c77ca27a08da7b0ac60e74bfe1b

SHA256
06d39c6e051a4599895c741be479b518bf7182ab741dd604a790f8a31d440af3

SHA512
537111b80824898516a5608f4f7be7786da7c90f607a8dfb2efd8fc2590c4315d168ad3eb232b09a1fd957dbdf4171dd2760bd10a9f52ae677860cf5f485e6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsIO.exe

Filesize
211KB

MD5
d5b1cd270278388d59550a5dba6fa1d6

SHA1
fad78dc217113e176971213eb2f9a8c8152ba082

SHA256
79f3f4dee3e52469b60bc7181ed5754a7c26204e39f9eacbb0976808cac57610

SHA512
b32d026ad4f442449364060cf6adda4e5dca71cdf091ad270b88242e007221b7a1255dca0ae9d73fc3ae01f338abbfcf1f0b6d0da6a1c20e57c587d18694ec8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwAE.exe

Filesize
206KB

MD5
500f984deade2b8c5591b790c21a11e5

SHA1
e55b0f30a12b8d415d9654ee264e8aefe0605f40

SHA256
206a4dff43221fa3e5a72096de4c5b6ea08528976de3474d79c5b84e65602511

SHA512
4d8e495781d14b4cd5b0e2d4f7a72420310f462e281694979cb19daa6446cb3d4cf1c20a02f159f262665729931d34efa9302d641356a9fae97353a371dc7ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAQe.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIAq.exe

Filesize
200KB

MD5
a11f6c6f70e540a1ff37fee6ee1308c0

SHA1
8744f895785f1234790884ca3d1dcabacd26bbc6

SHA256
11523dbd021039114fbebb434f44b44489e25def9e0f3d72948dc9363c530eb4

SHA512
4ee56fc7cc46f85c9f10836ac5beb8a1caf131e0c401d281bb89122267aae580f274e66f635f9fccff70dffb2ca078759a1c671aa035390bb71683c382440301

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQgM.exe

Filesize
828KB

MD5
fb2e3e0f69974f5bbff27ac54c64bb1e

SHA1
051c34388b6ff1a7a40394c73aa0f488caaeb448

SHA256
f2fd7146197ac0fce063d9ea9b7a1504e2f03be24a108940ddcd39979ae5ffcc

SHA512
415de1e12b95f0d317fc4a0b93bd35cb9e46a1a277b5faddd733d865cfeefc552d8d2f3609130e66a472243d6b919eb6ec63adaf24c7b12a505afc23d11f7382

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUwa.exe

Filesize
185KB

MD5
830d3124979602230c3041cc6cf64ecc

SHA1
ef7974a73272c84eb14205358ab092f290bf020b

SHA256
31a4d54907645a0b72d2b465b054401a94cdbfaa89be40ef0be56550393d045f

SHA512
eb8453ff7587c65dafbe521a854d164cf7c63dfcdfc928567f83e9dbe2445e449cc5c2a95c2469598a54465b6e2500fb992e79cabb03b81567fd78cd8825c145

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYkk.exe

Filesize
600KB

MD5
ca9b0ef0d8e1434c2141411e0d1cb899

SHA1
84d7cebf1844763feb93b70cf2b2736489accd00

SHA256
4abc57a92a55cfab5a471e508a85ca22c10bf7fe474587d1489f92131edda5de

SHA512
29cf0f1d433eead0117fdc371787752d9e701b1d64f3f78365be75e8378ca185e8608f95d51bbe27d00f8aa9421144c0c5932c11398e9408d96847800a16611f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sccU.exe

Filesize
640KB

MD5
c49aa605c427b678c138cd32752fc849

SHA1
cba521572f5b39e4ec650a8ba6fb15293d0d8b5c

SHA256
e83e06d302db66c4c8c5688d973a5c6e9aaf835038aba5fd4139237951700408

SHA512
310d7843f6c1e40df83d45c98c78aa01060b84b4a137ea6ca2407220f0306c80d3bce14663e274a4d35b32a38df23ba0672feb9e8ad04f60cd388877e72d7235

Download Submit
C:\Users\Admin\AppData\Local\Temp\swYm.exe

Filesize
764KB

MD5
42273acf4af02d14e8be09daf118773a

SHA1
06f9091a4abe66b3a3f6b0a97ab9b8f82c56f5dd

SHA256
529b8179b802d1ba61ca73526d57373d0fedfd5672b65f9e1c05b2f58a8e4782

SHA512
58366cfb35659273621fbd6883e3b8ca59e515eb643e59521bcba05ea5f22f8ff3106d9bb325c8faafee09083b299b37880afa2c2c973294e3014f9b81bee0e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEkc.exe

Filesize
195KB

MD5
f3b87bbd97f52a065e4b24b0adbf7354

SHA1
497c839112e2a3a514201ef2525b28b3269b021c

SHA256
8811ca3b4b1e09c65a96fbc004fba9ecde2939a27d5eef87dfc8e110cb57071a

SHA512
80a0e2a0b8b98fc2d42c91e16b4350dfff4f44a60b247e37c6fd4ed4b8fe39fff699cf1a9f5b0884a03c323f8fcf79b2a42413ad587b99cdded985e8f67e674d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMkC.exe

Filesize
202KB

MD5
5fe1550af68b8cbbd85d506f2bc94036

SHA1
6e7c55ec2014236668f99e778c13f50e670c8f76

SHA256
331a0420df7c2e75e1a721e63f083cf6019af4e2f54c4dbc26b73442175f7d18

SHA512
1a79b385a2392555e2984f62f0b27805362284ebd407020e591307c5fb4df8fa4be2475947e5d88430dfef8f36bfa670b0fa759a34b4cc7bbd460947db464181

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUos.exe

Filesize
197KB

MD5
7faf4f2afcb0b757950cbac50e5b119e

SHA1
4094404fb2f3dde44a723c11af6337174fe8fbf2

SHA256
1ffeecdab255c1f4c73542667641749e5d3541fd973bb8c327bfe1c6cda6dd0a

SHA512
1374f2873c90b037a505afed8ccf265a3d9e8502665031d87763b086c93bb27365795fc592b9d0ff577a805afa92c304a841bb234410ed8b5d4e89bc3e399c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAEi.exe

Filesize
196KB

MD5
d1cb56e826497848a130d9ef23a16e53

SHA1
6416dfe3321de23b363c2214ea731b227c32f8d6

SHA256
8f2174e361530982486530a2537c37b627aec2d4f9baf203e7e1609ed021a201

SHA512
9b800d162dd346ed72816362066cc23547d35dfb98458504d262f0865275f1f9a8af6899c38f84a7859ca06955ddcf3d3e45b1a6488b8c22abbe9a5118f2b911

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEgW.exe

Filesize
469KB

MD5
de850230cf977ed54d4958f4476973fc

SHA1
a61eb9402192f947fdf535bcfbaf41a643251aa7

SHA256
c89dc7a28d60ba48d0dbf039b35289532ab7945b664d88445f0a5c77d9dee557

SHA512
6b3ba0b6a87dcd1a7608612e8bd84e10788753cc046db0ea056d51b59c47b86213fe05e35d370fa03aa70c04ef7db4aa4d45fdf5d094648c87c4d14c800b0101

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMEY.exe

Filesize
192KB

MD5
2679f8133bbcf88c5b91d287364c644f

SHA1
331caa7cc3f0edb3f87e7d259fbc0ac996b9cdc0

SHA256
9f80d779b3160186599b2e05fe0cd40236718920f90609053577f4df4de6d170

SHA512
daf4a8821ac7debee00b9a39d7c95f2d3db7d622351b70b73c9b44bfc9855c1bb891a723c78e04e0a6d931cf539c4a0e0a3aef7756b37cdc978047e038c62a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUcs.exe

Filesize
195KB

MD5
8fa1b7f2e378c41c4336ce0629a463d7

SHA1
33595c47dc6aa32bb9aa4fcc445268dc44e3b932

SHA256
6ba32ec29ae223bfa06201637db68dc92a415b985785017e164a6917d4604ca3

SHA512
5e765b0281c7b0c0c5ca35781377de3126c8225aeec8e55f37541586d7ae848f1f70608467eee7a211b151b39a89e085ac44db12c4030faee92d0b3e96f1837b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYgI.exe

Filesize
209KB

MD5
1fbac6f6f2c2da29e7409a61e64827a1

SHA1
9ab102f6e37bb5c68137b1b492e90c63ed71f4f8

SHA256
cf6d6c3736065cb5532c48d850a927098d508dcc4a56ce1376856db89783f85e

SHA512
5c1fdf2ad40e970c2671e383144f97acc98d49c7b813a548302b16db12d094e33be0dfce47d25d7c70792a61b5f831db7cbf54a9f795fd10130f88642f2bf4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkwe.exe

Filesize
576KB

MD5
bad094b8f6cf4e0d8bd574a1900f8023

SHA1
cc29396705d7cd558078c513a81122193134170b

SHA256
d3e827ae71d0eb5395d054200ea282544dc084795c1162eee87a2645d41f29c8

SHA512
3803f41dfd03caec90986434a6ca7c1361c136531da57f3553b2a32d0fcb30317072237dc371e90d1519783f2e5ddb57b7b8882c225d61956e4eeacf697debcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycAG.exe

Filesize
602KB

MD5
64d5cda1307e5a29945091d79a269f98

SHA1
e63cc43617ad0ad6bc3c1ca91442eef9aad1b78a

SHA256
14f5fd3e68a289745dd2f746add4c1ad846400549ba9b24db3a95080da5f4968

SHA512
719adf46e2c5860e9a00fa05cc55a48f8eed2147318a75df2efc74aa2401b719b7028b4a99bd428d7b17047fbf2d3ee8b58b9db8571d6450eb272770e5cfa0fa

Download Submit
C:\Users\Admin\USMQAEkw\cwkokwAo.exe

Filesize
182KB

MD5
8ef31a90d1903a208347d3d4d5b0bdb7

SHA1
4b5c5524261f3fbb32fb3a6e0de6ce185ecc147e

SHA256
aca317eea972f8659519fc0981874f5353b9da0a02cd2075cee6c3fb95ee1c41

SHA512
22b8f7013b822a3c1b592e87b96402f77fdd89c4f65aa4460a753ca7cd19b4b0ceaa02f0e3c63c146ab791a1b9a05bdc1a7b42ff21b2762d440c79ab04bbd9a1

Download Submit
C:\Users\Admin\USMQAEkw\cwkokwAo.inf

Filesize
4B

MD5
8202f0381c77c5439d6b233ac89b6290

SHA1
112cedf3b718ce996d40e4cf3fcf62bf06747fe8

SHA256
9d5abbd1b894d2485af1109ddbdcd1967cfc8908850e8b2949fe50a0972bd018

SHA512
04a20f82492b24d6413930f84eda12569411ea1193642eebe57e19244c5cd28475d8fa8c7778e73ebbef1c6ede0211faa6a31cf56ebf4b5b7d7beb184b2d3a6c

Download Submit
memory/332-660-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/332-652-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/464-378-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/464-424-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/516-149-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/548-162-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/640-596-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/776-256-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/776-523-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/876-325-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/964-14-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1208-606-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1356-441-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1356-449-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1448-680-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1448-687-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1536-282-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1596-360-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1600-497-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1724-440-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1800-333-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1824-581-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1824-588-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1892-370-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1924-513-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2012-505-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2024-68-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2024-53-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2056-272-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2100-185-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2188-81-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2232-569-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2232-579-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2296-635-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2296-643-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2396-307-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2416-607-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2416-615-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2424-138-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2432-103-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2472-539-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2492-398-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2492-387-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2524-298-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2540-450-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2540-460-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2748-44-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2828-306-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2828-317-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3108-290-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3432-559-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3432-551-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3432-469-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3432-461-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3448-92-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3484-678-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3552-116-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3632-531-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3636-163-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3636-174-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3820-414-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3852-232-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3864-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4016-33-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4016-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4076-352-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4144-246-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4148-197-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4148-188-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4200-670-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4248-406-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4248-394-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4280-540-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4280-550-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4396-344-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4396-334-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4400-479-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4400-489-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4676-210-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4764-386-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4764-432-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4772-127-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4780-57-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4780-45-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4792-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4792-20-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4820-478-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4820-470-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4820-221-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4832-560-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4832-568-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4856-651-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4964-623-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4988-624-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4988-634-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5088-264-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download