d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1

Analysis

max time kernel
183s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 19:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
Size

489KB
MD5

546554152709f074e953574b2f8fc230
SHA1

b694e2efbf05dcb8ebe4cf184f1553732522026f
SHA256

d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
SHA512

cf45eabec73079377704b0c72ceb2835edc247acfa35bc4f0bfae0d6ca1e4833cb2c90bcabea2ad0e05f59cb84a6e94b4024feab707fc0f2ee9e8c004d3556f4
SSDEEP

12288:VG9Or/XvReObFLnbJjUYP83kkS4Adhlp3H5jAcm:VC6XvR1bFLnbJ9P83kkS4Slt5jNm

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\oMYYkgIo\\RmwYUAMQ.exe,"	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\oMYYkgIo\\RmwYUAMQ.exe,"	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2248	qywcIccg.exe
4692	RmwYUAMQ.exe
2020	UUgMEQow.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	qywcIccg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qywcIccg.exe = "C:\\Users\\Admin\\rmAIwYsw\\qywcIccg.exe"	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RmwYUAMQ.exe = "C:\\ProgramData\\oMYYkgIo\\RmwYUAMQ.exe"	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qywcIccg.exe = "C:\\Users\\Admin\\rmAIwYsw\\qywcIccg.exe"	qywcIccg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RmwYUAMQ.exe = "C:\\ProgramData\\oMYYkgIo\\RmwYUAMQ.exe"	RmwYUAMQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RmwYUAMQ.exe = "C:\\ProgramData\\oMYYkgIo\\RmwYUAMQ.exe"	UUgMEQow.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\rmAIwYsw	UUgMEQow.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\rmAIwYsw\qywcIccg	UUgMEQow.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	qywcIccg.exe
File opened for modification	C:\Windows\SysWOW64\sheLockSelect.wma	qywcIccg.exe
File opened for modification	C:\Windows\SysWOW64\sheSyncInitialize.docx	qywcIccg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
5768	reg.exe
5668	reg.exe
1952	reg.exe
3592	reg.exe
4608	reg.exe
5444	reg.exe
5580	reg.exe
3656	reg.exe
6016	reg.exe
4012	reg.exe
2392	reg.exe
5036	reg.exe
744	reg.exe
4336	reg.exe
952	reg.exe
3840	reg.exe
1452	reg.exe
4556	reg.exe
3404	reg.exe
4852	reg.exe
4504	reg.exe
5884	reg.exe
2204	reg.exe
4792	reg.exe
3856	reg.exe
4320	reg.exe
5888	reg.exe
5344	reg.exe
5456	reg.exe
2224	reg.exe
3928	reg.exe
2676	reg.exe
5888	reg.exe
4932	reg.exe
3648	reg.exe
5960	reg.exe
3112	reg.exe
1644	reg.exe
4908	reg.exe
4292	reg.exe
1816	reg.exe
3612	reg.exe
2148	reg.exe
2832	reg.exe
5028	reg.exe
1632	reg.exe
5856	reg.exe
3212	reg.exe
4264	reg.exe
5804	reg.exe
5816	reg.exe
3856	reg.exe
3748	reg.exe
3244	reg.exe
1296	reg.exe
4584	reg.exe
2572	reg.exe
4184	reg.exe
4124	reg.exe
4448	reg.exe
2028	reg.exe
2100	reg.exe
4228	reg.exe
5372	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4888	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
4888	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
4888	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
4888	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
3884	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
3884	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
3884	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
3884	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
1248	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
1248	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
1248	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
1248	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
2024	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
2024	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
2024	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
2024	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
2504	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
2504	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
2504	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
2504	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
3748	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
3748	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
3748	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
3748	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
2620	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
2620	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
2620	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
2620	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
2348	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
2348	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
2348	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
2348	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
3080	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
3080	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
3080	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
3080	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
1952	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
1952	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
1952	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
1952	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
2100	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
2100	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
2100	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
2100	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
4136	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
4136	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
4136	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
4136	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
2340	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
2340	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
2340	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
2340	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
1344	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
1344	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
1344	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
1344	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
4992	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
4992	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
4992	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
4992	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
4936	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
4936	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
4936	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
4936	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2248	qywcIccg.exe
2248	qywcIccg.exe
2248	qywcIccg.exe
2248	qywcIccg.exe
2248	qywcIccg.exe
2248	qywcIccg.exe
2248	qywcIccg.exe
2248	qywcIccg.exe
2248	qywcIccg.exe
2248	qywcIccg.exe
2248	qywcIccg.exe
2248	qywcIccg.exe
2248	qywcIccg.exe
2248	qywcIccg.exe
2248	qywcIccg.exe
2248	qywcIccg.exe
2248	qywcIccg.exe
2248	qywcIccg.exe
2248	qywcIccg.exe
2248	qywcIccg.exe
2248	qywcIccg.exe
2248	qywcIccg.exe
2248	qywcIccg.exe
2248	qywcIccg.exe
2248	qywcIccg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 2248	4888	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	80
PID 4888 wrote to memory of 2248	4888	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	80
PID 4888 wrote to memory of 2248	4888	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	80
PID 4888 wrote to memory of 4692	4888	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	81
PID 4888 wrote to memory of 4692	4888	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	81
PID 4888 wrote to memory of 4692	4888	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	81
PID 4888 wrote to memory of 4820	4888	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	83
PID 4888 wrote to memory of 4820	4888	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	83
PID 4888 wrote to memory of 4820	4888	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	83
PID 4820 wrote to memory of 3884	4820	cmd.exe	85
PID 4820 wrote to memory of 3884	4820	cmd.exe	85
PID 4820 wrote to memory of 3884	4820	cmd.exe	85
PID 3884 wrote to memory of 208	3884	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	86
PID 3884 wrote to memory of 208	3884	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	86
PID 3884 wrote to memory of 208	3884	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	86
PID 4888 wrote to memory of 228	4888	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	88
PID 4888 wrote to memory of 228	4888	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	88
PID 4888 wrote to memory of 228	4888	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	88
PID 4888 wrote to memory of 2204	4888	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	90
PID 4888 wrote to memory of 2204	4888	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	90
PID 4888 wrote to memory of 2204	4888	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	90
PID 4888 wrote to memory of 1972	4888	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	92
PID 4888 wrote to memory of 1972	4888	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	92
PID 4888 wrote to memory of 1972	4888	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	92
PID 3884 wrote to memory of 380	3884	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	93
PID 3884 wrote to memory of 380	3884	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	93
PID 3884 wrote to memory of 380	3884	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	93
PID 3884 wrote to memory of 3988	3884	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	94
PID 3884 wrote to memory of 3988	3884	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	94
PID 3884 wrote to memory of 3988	3884	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	94
PID 3884 wrote to memory of 5096	3884	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	98
PID 3884 wrote to memory of 5096	3884	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	98
PID 3884 wrote to memory of 5096	3884	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	98
PID 208 wrote to memory of 1248	208	cmd.exe	100
PID 208 wrote to memory of 1248	208	cmd.exe	100
PID 208 wrote to memory of 1248	208	cmd.exe	100
PID 3884 wrote to memory of 1964	3884	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	101
PID 3884 wrote to memory of 1964	3884	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	101
PID 3884 wrote to memory of 1964	3884	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	101
PID 1248 wrote to memory of 3240	1248	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	103
PID 1248 wrote to memory of 3240	1248	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	103
PID 1248 wrote to memory of 3240	1248	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	103
PID 1248 wrote to memory of 716	1248	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	105
PID 1248 wrote to memory of 716	1248	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	105
PID 1248 wrote to memory of 716	1248	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	105
PID 1248 wrote to memory of 744	1248	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	107
PID 1248 wrote to memory of 744	1248	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	107
PID 1248 wrote to memory of 744	1248	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	107
PID 1248 wrote to memory of 3256	1248	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	109
PID 1248 wrote to memory of 3256	1248	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	109
PID 1248 wrote to memory of 3256	1248	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	109
PID 1248 wrote to memory of 4844	1248	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	111
PID 1248 wrote to memory of 4844	1248	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	111
PID 1248 wrote to memory of 4844	1248	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	111
PID 3240 wrote to memory of 2024	3240	cmd.exe	113
PID 3240 wrote to memory of 2024	3240	cmd.exe	113
PID 3240 wrote to memory of 2024	3240	cmd.exe	113
PID 4844 wrote to memory of 844	4844	cmd.exe	115
PID 4844 wrote to memory of 844	4844	cmd.exe	115
PID 4844 wrote to memory of 844	4844	cmd.exe	115
PID 1964 wrote to memory of 764	1964	cmd.exe	114
PID 1964 wrote to memory of 764	1964	cmd.exe	114
PID 1964 wrote to memory of 764	1964	cmd.exe	114
PID 2024 wrote to memory of 1840	2024	d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe	116

C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
"C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\rmAIwYsw\qywcIccg.exe
  "C:\Users\Admin\rmAIwYsw\qywcIccg.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of FindShellTrayWindow
  PID:2248
- C:\ProgramData\oMYYkgIo\RmwYUAMQ.exe
  "C:\ProgramData\oMYYkgIo\RmwYUAMQ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
    C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:208
    - - C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1248
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        8⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        10⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        12⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        14⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        16⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        18⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        20⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        22⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        24⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        26⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        28⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        30⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        32⤵
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        33⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        34⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        35⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        36⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        37⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        38⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        39⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        40⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        41⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        42⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        43⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        44⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        45⤵
        
        PID:204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        46⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        47⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        48⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        49⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        50⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        51⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        52⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        53⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        54⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        55⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        56⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        57⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        58⤵
        
        PID:5160
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        59⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        60⤵
        
        PID:5456
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        61⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        62⤵
        
        PID:5724
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        63⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        64⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        65⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        66⤵
        
        PID:5144
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        67⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        68⤵
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        69⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        70⤵
        
        PID:5960
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        71⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        72⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        73⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        74⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        75⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        76⤵
        
        PID:5372
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        77⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        78⤵
        
        PID:5756
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        79⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        80⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        81⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        82⤵
        
        PID:5200
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        83⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        84⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        85⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        86⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        87⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        88⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        89⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        90⤵
        
        PID:5628
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        91⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        92⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        93⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        94⤵
        
        PID:5452
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        95⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        96⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        97⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        98⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        99⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        100⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        101⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        102⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        103⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        104⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        105⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        106⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        107⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        108⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        109⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        110⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        111⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        112⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        113⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        114⤵
        
        PID:5872
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        115⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        116⤵
        
        PID:6076
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        117⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        118⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        119⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        120⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        121⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        122⤵
        
        PID:5320
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        123⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        124⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        125⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        126⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        127⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        128⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        129⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        130⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        131⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        132⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        133⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        134⤵
        
        PID:5416
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        135⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        136⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        137⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        138⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        139⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        140⤵
        
        PID:5964
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        141⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        142⤵
        
        PID:5148
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        143⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        144⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        145⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        146⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        147⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        148⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        149⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        150⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        151⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        152⤵
        
        PID:5576
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        153⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        154⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        155⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        156⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        157⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        158⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        159⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        160⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        161⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        162⤵
        
        PID:5996
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        163⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        164⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        165⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        166⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        167⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        168⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        169⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        170⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        171⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        172⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        173⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        174⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        175⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        176⤵
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        177⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        178⤵
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        179⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        180⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        181⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        182⤵
        
        PID:5628
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        183⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        184⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        185⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        186⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        187⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        188⤵
        
        PID:5148
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        189⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        190⤵
        
        PID:5200
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        191⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        192⤵
        
        PID:5476
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        193⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        194⤵
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        195⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        196⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        197⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        198⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        199⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        200⤵
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        201⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        202⤵
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        203⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        204⤵
        
        PID:6076
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        205⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        206⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        207⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        208⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        209⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        210⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        211⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        212⤵
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        213⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        214⤵
        
        PID:6020
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        215⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        216⤵
        
        PID:5340
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        217⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        218⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        219⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        220⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        221⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        222⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        223⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        224⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        225⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        226⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        227⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        228⤵
        
        PID:6124
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        229⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        230⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        231⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        232⤵
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        233⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        234⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        235⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        236⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        237⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        238⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        239⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        240⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1
        241⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1"
        242⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGAIMEMw.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        242⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies registry key
        
        PID:5856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmEQoAME.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        240⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RMAMQIIA.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        238⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSwcsgEk.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        236⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        
        PID:5936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gycYAMws.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        234⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        Modifies registry key
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IscYIQoY.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        232⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies registry key
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeoAkEYc.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        230⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        Modifies registry key
        
        PID:5668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies registry key
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:6108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOkcUkIU.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        228⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWwkIgkw.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        226⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        Modifies registry key
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGwIwMAU.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        224⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        Modifies registry key
        
        PID:5456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QScIoQEE.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        222⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        Modifies registry key
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PeAUMsEk.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        220⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIMkgQMg.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        218⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:5168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        Modifies registry key
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pesQUgcg.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        216⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        Modifies registry key
        
        PID:5768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUMMcYgc.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        214⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsAYIYIU.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        212⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        Modifies registry key
        
        PID:5884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OekEIocs.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        210⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        Modifies registry key
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dykQEYEM.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        208⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:5748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEkcgEYA.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        206⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        Modifies registry key
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGwAYIYc.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        204⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAkkkcko.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        202⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        Modifies registry key
        
        PID:5888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSkUQYAU.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        200⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:5180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\guQEsosU.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        198⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qyEokIkQ.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        196⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TiIQkMoM.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        194⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies registry key
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKsMoYcI.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        192⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:5608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEIQMgUA.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        190⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqcoMEEQ.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        188⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:5932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        Modifies registry key
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIIUcwoA.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        186⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        Modifies registry key
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qackEoAI.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        184⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fOMwsYwE.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        182⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSQsMscU.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        180⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        Modifies registry key
        
        PID:5888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWUUoQIk.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        178⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        Modifies registry key
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        Modifies registry key
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IGEYkwkM.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        176⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiMcwEMA.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        174⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMIoooEI.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        172⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        Modifies registry key
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        Modifies registry key
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\paQwwgEw.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        170⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        Modifies registry key
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:5396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkAokEcE.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        168⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwgwwogc.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        166⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\weAcoMEc.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        164⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQUgssEI.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        162⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lccEgIsc.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        160⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcwgEMYw.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        158⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUoUAAIE.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        156⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:5772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAMksMgE.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        154⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FigEwsEc.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        152⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:5804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies registry key
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        Modifies registry key
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:5388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyooIoEY.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        150⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        Modifies registry key
        
        PID:5580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYsIUMIc.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        148⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGMcEkkQ.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        146⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RoEMkEUc.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        144⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        Modifies registry key
        
        PID:6016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqcIoUok.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        142⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:5960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        Modifies registry key
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fGocsAok.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        140⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NycsYkck.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        138⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:5444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUcogUEI.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        136⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LWwYQwco.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        134⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSsIwgIs.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        132⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LmAMMggo.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        130⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:5684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqEMQcEM.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        128⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ciAcIcsI.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        126⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiIIIAok.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        124⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWEsQEQw.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        122⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCUwUwco.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        120⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies registry key
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WyQAIUss.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        118⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\maQIAwkc.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        116⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKoogskA.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        114⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAkggcQk.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        112⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkQkMQsw.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        110⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:5632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUEscwww.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        108⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HackkwoE.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        106⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwQUkkoE.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        104⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zycUwYsM.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        102⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwYYUEso.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        100⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        Modifies registry key
        
        PID:5372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WakwUYUU.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        98⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGUIsocw.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        96⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQYMUsQo.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        94⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQEIUoAI.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        92⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igQsoQgI.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        90⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUAEwUog.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        88⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQEkkMEE.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        86⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWoYggoU.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        84⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGcAckgI.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        82⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcYQAEcw.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        80⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tyskEgEM.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        78⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies registry key
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMgocMsU.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        76⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIQwMMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        74⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IsgYEkgM.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        72⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWMkoEss.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        70⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAgkwoAI.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        68⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:5520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:5272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMEAUIYk.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        66⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kowMUwIQ.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        64⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKAYYgkc.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        62⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:5780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:5488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGYkcoUo.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        60⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:5204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\raIMocow.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        58⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies registry key
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSAkYskk.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        56⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQUsgMMk.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        54⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKcUMEEA.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        52⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSooIQgo.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        50⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWgggoAg.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        48⤵
        
        PID:520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naAcEEQQ.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        46⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYkIQwkM.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        44⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IescIcsU.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        42⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeswQQEQ.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        40⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies registry key
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIYoAQoA.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        38⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\csoQQgks.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        36⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUgYgEok.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        34⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUgwAQsA.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        32⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGcYMgEY.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        30⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMkUEUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        28⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCkwksYk.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        26⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWkUQQoo.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        24⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEgMgUEw.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        22⤵
        
        PID:308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKkMUEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        20⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQwYEYYc.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        18⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOEIkwYs.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        16⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOsAUQYU.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        14⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        Modifies registry key
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQMYccwU.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        12⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NaAkIUUY.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        10⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QecMEssM.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        8⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1544
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:716
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:744
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:3256
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYsokwwI.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:844
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:380
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3988
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:5096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NuUcUYsg.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:764
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:228
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2204
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\viUscEEs.bat" "C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1.exe""
  2⤵
  PID:5532
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1072

C:\ProgramData\KWgsQIUo\UUgMEQow.exe
C:\ProgramData\KWgsQIUo\UUgMEQow.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KWgsQIUo\UUgMEQow.exe

Filesize
478KB

MD5
8cf1ea7452f1a30fbc0ce72a77cacc56

SHA1
e1ddccdecbcc0fa6f89a7577c6683777087b3cae

SHA256
e5606567bcfa348b92b5d203ad43be3f1adaf91990baa8e93ee0275d24e52f41

SHA512
6f55984b0dc71a8747f6946c8a3f89bf8b8cac296eb56600a0b02ce1e3015a2163ef5d32da59cb133057a3b612876eb9ed41f69731f4791e0736f1bb18130b1a

Download Submit
C:\ProgramData\KWgsQIUo\UUgMEQow.exe

Filesize
478KB

MD5
8cf1ea7452f1a30fbc0ce72a77cacc56

SHA1
e1ddccdecbcc0fa6f89a7577c6683777087b3cae

SHA256
e5606567bcfa348b92b5d203ad43be3f1adaf91990baa8e93ee0275d24e52f41

SHA512
6f55984b0dc71a8747f6946c8a3f89bf8b8cac296eb56600a0b02ce1e3015a2163ef5d32da59cb133057a3b612876eb9ed41f69731f4791e0736f1bb18130b1a

Download Submit
C:\ProgramData\oMYYkgIo\RmwYUAMQ.exe

Filesize
478KB

MD5
1e737bfb1a0350f7ead636fc2ce845bc

SHA1
81f5a231a107c00298261b74d3891df57ec5259d

SHA256
6d358e618a0c90c4ddb204f23b62fd58db5923485e57b82d7bf32d9b5f7af5bf

SHA512
acda24a73ba06b5e9244bcecc3cc10536b3b3a0dee0e0149366799e0199d0e196f001b7a61be57918828c7078701a69adf088cc2d2b37961ff91b4b739b0baee

Download Submit
C:\ProgramData\oMYYkgIo\RmwYUAMQ.exe

Filesize
478KB

MD5
1e737bfb1a0350f7ead636fc2ce845bc

SHA1
81f5a231a107c00298261b74d3891df57ec5259d

SHA256
6d358e618a0c90c4ddb204f23b62fd58db5923485e57b82d7bf32d9b5f7af5bf

SHA512
acda24a73ba06b5e9244bcecc3cc10536b3b3a0dee0e0149366799e0199d0e196f001b7a61be57918828c7078701a69adf088cc2d2b37961ff91b4b739b0baee

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUgYgEok.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EWkUQQoo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\FeswQQEQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IOEIkwYs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IescIcsU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JQwYEYYc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIYoAQoA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MOsAUQYU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NaAkIUUY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NuUcUYsg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QGcYMgEY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QecMEssM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XKkMUEgQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZEgMgUEw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMkUEUsQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\csoQQgks.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\d243a342c76ea5b9d9c37671f1ea3260d637a553945037781f71d9973cecc0d1

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\dYsokwwI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gCkwksYk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQMYccwU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUgwAQsA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\rmAIwYsw\qywcIccg.exe

Filesize
477KB

MD5
c962fc185a3955437a40d32d609f3705

SHA1
e39df700ee75f6b92203b9f607d52aebbff53f26

SHA256
de458e779f20bd78e8fad88ed3545443ca0451f6ffe0add7670131d4e0b6947b

SHA512
b34381e6af0eae5ffe65e3bf496fbc0b5fe59cf10b3d5f0e8e51c3b530f4f625b749880568d15cce7d9b0a6011b510d05eea24d91c68e66b9751ff9b6904eb5b

Download Submit
C:\Users\Admin\rmAIwYsw\qywcIccg.exe

Filesize
477KB

MD5
c962fc185a3955437a40d32d609f3705

SHA1
e39df700ee75f6b92203b9f607d52aebbff53f26

SHA256
de458e779f20bd78e8fad88ed3545443ca0451f6ffe0add7670131d4e0b6947b

SHA512
b34381e6af0eae5ffe65e3bf496fbc0b5fe59cf10b3d5f0e8e51c3b530f4f625b749880568d15cce7d9b0a6011b510d05eea24d91c68e66b9751ff9b6904eb5b

Download Submit
memory/204-320-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/204-313-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/204-300-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1248-156-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1248-204-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1344-266-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1344-264-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1952-243-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1952-246-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2020-144-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2024-203-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2024-176-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2100-250-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2228-318-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2228-319-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2248-140-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2248-257-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2340-259-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2340-261-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2348-227-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2504-178-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2504-200-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2584-286-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2584-288-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2620-216-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2620-207-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3016-283-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3080-228-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3080-235-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3196-299-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3424-296-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3424-297-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3588-303-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3588-304-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3748-198-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3884-202-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3884-155-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4136-254-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4180-305-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4420-309-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4420-308-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4468-302-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4468-301-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4692-141-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4692-258-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4704-279-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4704-275-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4840-292-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4888-132-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4888-206-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4896-306-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4896-307-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4936-274-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4992-268-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5144-310-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5344-312-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5344-311-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5492-321-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5492-322-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5688-314-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5688-315-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5864-323-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5924-316-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5924-317-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download