b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5

Analysis

max time kernel
171s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 19:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
Size

439KB
MD5

7140d81c5f444abc46e4ea47e09f06a0
SHA1

414554f75a407d838686f4c27e1ef886859d37e1
SHA256

b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
SHA512

94da8567ba8398ca058376916d15deb79b04559278ca13d9154992272d076a8e90f451b07a1a3ffc90ce023999cf6b7b51edf3aa6dcd84b9aee0663cd6666db0
SSDEEP

6144:17vTpBt2avt4KJ8g6vNeNCr5RCpXml0Av4pCmg5ym0u4DIO+0vYOPS1HO2t:VTF2aiKMv54MSAmLsWPS1

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
4496	wmYoowUI.exe
1788	sAQMwYss.exe
3156	HIsUEIME.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sAQMwYss.exe = "C:\\ProgramData\\HuwkIAUE\\sAQMwYss.exe"	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmYoowUI.exe = "C:\\Users\\Admin\\HqMQIscg\\wmYoowUI.exe"	wmYoowUI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sAQMwYss.exe = "C:\\ProgramData\\HuwkIAUE\\sAQMwYss.exe"	sAQMwYss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sAQMwYss.exe = "C:\\ProgramData\\HuwkIAUE\\sAQMwYss.exe"	HIsUEIME.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmYoowUI.exe = "C:\\Users\\Admin\\HqMQIscg\\wmYoowUI.exe"	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sheSuspendPing.mpg	wmYoowUI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\HqMQIscg	HIsUEIME.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\HqMQIscg\wmYoowUI	HIsUEIME.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	wmYoowUI.exe
File opened for modification	C:\Windows\SysWOW64\sheDismountWatch.wma	wmYoowUI.exe
File opened for modification	C:\Windows\SysWOW64\shePushPing.zip	wmYoowUI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
5308	reg.exe
5248	reg.exe
5424	reg.exe
1444	reg.exe
1808	reg.exe
6004	reg.exe
2556	reg.exe
5712	reg.exe
5924	reg.exe
5524	reg.exe
1432	reg.exe
1404	reg.exe
3620	reg.exe
3416	reg.exe
2616	reg.exe
5380	reg.exe
3320	reg.exe
400	reg.exe
3772	reg.exe
3756	reg.exe
3952	reg.exe
5148	reg.exe
3724	reg.exe
5288	reg.exe
3100	reg.exe
5300	reg.exe
5304	reg.exe
3956	reg.exe
1664	reg.exe
4060	reg.exe
3820	reg.exe
5948	reg.exe
2052	reg.exe
876	reg.exe
4320	reg.exe
6072	reg.exe
3480	reg.exe
2252	reg.exe
3480	reg.exe
5824	reg.exe
5964	reg.exe
1396	reg.exe
5924	reg.exe
5848	reg.exe
3692	reg.exe
5336	reg.exe
2544	reg.exe
1180	reg.exe
4716	reg.exe
5272	reg.exe
2136	reg.exe
3540	reg.exe
1312	reg.exe
840	reg.exe
5280	reg.exe
548	reg.exe
2076	reg.exe
4144	reg.exe
3108	reg.exe
3232	reg.exe
1744	reg.exe
4368	reg.exe
3916	reg.exe
2360	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1280	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
1280	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
1280	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
1280	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
3692	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
3692	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
3692	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
3692	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
1004	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
1004	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
1004	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
1004	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
2176	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
2176	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
2176	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
2176	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
1944	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
1944	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
1944	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
1944	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
1192	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
1192	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
1192	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
1192	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
4956	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
4956	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
4956	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
4956	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
5024	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
5024	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
5024	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
5024	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
3756	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
3756	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
3756	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
3756	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
1604	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
1604	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
1604	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
1604	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
4916	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
4916	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
4916	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
4916	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
772	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
772	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
772	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
772	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
2372	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
2372	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
2372	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
2372	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
4076	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
4076	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
4076	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
4076	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
3756	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
3756	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
3756	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
3756	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
4952	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
4952	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
4952	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
4952	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 4496	1280	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	81
PID 1280 wrote to memory of 4496	1280	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	81
PID 1280 wrote to memory of 4496	1280	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	81
PID 1280 wrote to memory of 1788	1280	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	82
PID 1280 wrote to memory of 1788	1280	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	82
PID 1280 wrote to memory of 1788	1280	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	82
PID 1280 wrote to memory of 2124	1280	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	84
PID 1280 wrote to memory of 2124	1280	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	84
PID 1280 wrote to memory of 2124	1280	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	84
PID 1280 wrote to memory of 648	1280	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	85
PID 1280 wrote to memory of 648	1280	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	85
PID 1280 wrote to memory of 648	1280	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	85
PID 1280 wrote to memory of 1180	1280	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	86
PID 1280 wrote to memory of 1180	1280	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	86
PID 1280 wrote to memory of 1180	1280	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	86
PID 1280 wrote to memory of 2980	1280	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	87
PID 1280 wrote to memory of 2980	1280	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	87
PID 1280 wrote to memory of 2980	1280	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	87
PID 2124 wrote to memory of 3692	2124	cmd.exe	92
PID 2124 wrote to memory of 3692	2124	cmd.exe	92
PID 2124 wrote to memory of 3692	2124	cmd.exe	92
PID 3692 wrote to memory of 3940	3692	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	93
PID 3692 wrote to memory of 3940	3692	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	93
PID 3692 wrote to memory of 3940	3692	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	93
PID 3692 wrote to memory of 988	3692	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	95
PID 3692 wrote to memory of 988	3692	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	95
PID 3692 wrote to memory of 988	3692	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	95
PID 3940 wrote to memory of 1004	3940	cmd.exe	96
PID 3940 wrote to memory of 1004	3940	cmd.exe	96
PID 3940 wrote to memory of 1004	3940	cmd.exe	96
PID 3692 wrote to memory of 1948	3692	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	97
PID 3692 wrote to memory of 1948	3692	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	97
PID 3692 wrote to memory of 1948	3692	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	97
PID 3692 wrote to memory of 4308	3692	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	100
PID 3692 wrote to memory of 4308	3692	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	100
PID 3692 wrote to memory of 4308	3692	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	100
PID 1004 wrote to memory of 3100	1004	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	102
PID 1004 wrote to memory of 3100	1004	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	102
PID 1004 wrote to memory of 3100	1004	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	102
PID 3100 wrote to memory of 2176	3100	cmd.exe	104
PID 3100 wrote to memory of 2176	3100	cmd.exe	104
PID 3100 wrote to memory of 2176	3100	cmd.exe	104
PID 1004 wrote to memory of 3108	1004	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	105
PID 1004 wrote to memory of 3108	1004	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	105
PID 1004 wrote to memory of 3108	1004	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	105
PID 1004 wrote to memory of 3232	1004	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	108
PID 1004 wrote to memory of 3232	1004	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	108
PID 1004 wrote to memory of 3232	1004	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	108
PID 1004 wrote to memory of 4972	1004	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	107
PID 1004 wrote to memory of 4972	1004	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	107
PID 1004 wrote to memory of 4972	1004	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	107
PID 2176 wrote to memory of 3876	2176	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	111
PID 2176 wrote to memory of 3876	2176	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	111
PID 2176 wrote to memory of 3876	2176	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	111
PID 3876 wrote to memory of 1944	3876	cmd.exe	113
PID 3876 wrote to memory of 1944	3876	cmd.exe	113
PID 3876 wrote to memory of 1944	3876	cmd.exe	113
PID 2176 wrote to memory of 1404	2176	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	114
PID 2176 wrote to memory of 1404	2176	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	114
PID 2176 wrote to memory of 1404	2176	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	114
PID 2176 wrote to memory of 3308	2176	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	115
PID 2176 wrote to memory of 3308	2176	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	115
PID 2176 wrote to memory of 3308	2176	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	115
PID 2176 wrote to memory of 4420	2176	b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe	116

C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
"C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\HqMQIscg\wmYoowUI.exe
  "C:\Users\Admin\HqMQIscg\wmYoowUI.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  PID:4496
- C:\ProgramData\HuwkIAUE\sAQMwYss.exe
  "C:\ProgramData\HuwkIAUE\sAQMwYss.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
    C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3940
    - - C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1004
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        10⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        12⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        14⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        16⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        18⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        20⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        22⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        24⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        26⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        28⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        30⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        32⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        33⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        34⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        35⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        36⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        37⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        38⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        39⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        40⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        41⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        42⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        43⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        44⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        45⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        46⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        47⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        48⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        49⤵
        
        PID:480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        50⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        51⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        52⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        53⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        54⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        55⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        56⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        57⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        58⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        59⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        60⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        61⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        62⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        63⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        64⤵
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        65⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        66⤵
        
        PID:5612
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        67⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        68⤵
        
        PID:5848
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        69⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        70⤵
        
        PID:5332
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        71⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        72⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        73⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        74⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        75⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        76⤵
        
        PID:5752
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        77⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        78⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        79⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        80⤵
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        81⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        82⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        83⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        84⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        85⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        86⤵
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        87⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        88⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        89⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        90⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        91⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        92⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        93⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        94⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        95⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        96⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        97⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        98⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        99⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        100⤵
        
        PID:5308
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        101⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        102⤵
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        103⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        104⤵
        
        PID:6140
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        105⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        106⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        107⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        108⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        109⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        110⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        111⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        112⤵
        
        PID:5984
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        113⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        114⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        115⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        116⤵
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        117⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        118⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        119⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        120⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        121⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        122⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        123⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        124⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        125⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        126⤵
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        127⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        128⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        129⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        130⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        131⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        132⤵
        
        PID:5436
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        133⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        134⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        135⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        136⤵
        
        PID:5984
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        137⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        138⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        139⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        140⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        141⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        142⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        143⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        144⤵
        
        PID:5320
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        145⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        146⤵
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        147⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        148⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        149⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        150⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        151⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        152⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        153⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        154⤵
        
        PID:5760
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        155⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        156⤵
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        157⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        158⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        159⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        160⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        161⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        162⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        163⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        164⤵
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        165⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        166⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        167⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        168⤵
        
        PID:5784
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        169⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        170⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        171⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        172⤵
        
        PID:204
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        173⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        174⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        175⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        176⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        177⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        178⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        179⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        180⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        181⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        182⤵
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        183⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        184⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        185⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        186⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        187⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        188⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        189⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        190⤵
        
        PID:5124
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        191⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        192⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        193⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        194⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        195⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        196⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        197⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        198⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        199⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        200⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        201⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        202⤵
        
        PID:5592
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        203⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        204⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        205⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        206⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        207⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        208⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        209⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        210⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        211⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        212⤵
        
        PID:5640
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        213⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        214⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        215⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        216⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        217⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        218⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5
        219⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5"
        220⤵
        
        PID:492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jIYgIkAg.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        220⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JowwIgQw.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        218⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        Modifies registry key
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vksoEUoQ.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        216⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCAAAAQg.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        214⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        Modifies registry key
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgUkwYUk.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        212⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZikEAcYc.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        210⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REEMwcwA.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        208⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEcEsQQc.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        206⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:5668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:6036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSEAEMks.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        204⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        Modifies registry key
        
        PID:5304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqUQsswY.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        202⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fusQcgAU.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        200⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\paMEYcUc.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        198⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies registry key
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        Modifies registry key
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQAgcAkw.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        196⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fScAkoQc.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        194⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        Modifies registry key
        
        PID:5272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omIAAAMA.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        192⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:5360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies registry key
        
        PID:6072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JwUkcYEM.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        190⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGEQocUg.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        188⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        Modifies registry key
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        Modifies registry key
        
        PID:5424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkgwAAws.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        186⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icAUgAww.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        184⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        Modifies registry key
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKEIoQUw.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        182⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        Modifies registry key
        
        PID:5300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIwAoYQM.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        180⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkQwwooE.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        178⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        Modifies registry key
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKUskIoI.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        176⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wggIQsIo.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        174⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KyAckcQk.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        172⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:5144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwwgwsAY.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        170⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies registry key
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CucgkcYE.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        168⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:6140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWcsUYEI.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        166⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        Modifies registry key
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOckEoQY.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        164⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        Modifies registry key
        
        PID:5248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        Modifies registry key
        
        PID:5288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQscMsUU.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        162⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        Modifies registry key
        
        PID:5336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skwUswsI.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        160⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYoQwQAw.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        158⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rewUMggo.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        156⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        Modifies registry key
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkIMQEws.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        154⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PiwIgsYs.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        152⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCoAgcwc.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        150⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYYUUAko.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        148⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        Modifies registry key
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        Modifies registry key
        
        PID:5308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggcsoQIo.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        146⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        Modifies registry key
        
        PID:5964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWwokEsY.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        144⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIEMcocE.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        142⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:5276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:5788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCMAwIIo.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        140⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWocsEcw.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        138⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWQkMksc.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        136⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        Modifies registry key
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XQYMUsQY.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        134⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkYIIYIY.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        132⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYoEwYIU.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        130⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euYYcUAo.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        128⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        Modifies registry key
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies registry key
        
        PID:5524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkoYkgYs.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        126⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOsIcUMo.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        124⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:5848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKwkAEYs.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        122⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:5320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lygoQsck.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        120⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        Modifies registry key
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGEUEQMM.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        118⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEcQAcIA.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        116⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOMQAQsA.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        114⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCkUIwEM.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        112⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        Modifies registry key
        
        PID:5924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zucoIQEQ.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        110⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JwMEkcIQ.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        108⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        Modifies registry key
        
        PID:5948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KaUAccgI.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        106⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGIAYEUw.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        104⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMUQkYMc.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        102⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAkMIcIw.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        100⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIsMskcA.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        98⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        Modifies registry key
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwQwkkgM.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        96⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:6060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:6004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies registry key
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygwwEkgg.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        94⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CosUIMgo.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        92⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSsgwYgo.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        90⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:5436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies registry key
        
        PID:5824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Yowkgkgk.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        88⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eeQgMokQ.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        86⤵
        
        PID:492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmEUIIkA.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        84⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUwUAYsw.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        82⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:5380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:5148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:6052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYQcsYAc.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        80⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        Modifies registry key
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MiAAEUEs.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        78⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEIosIgw.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        76⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TCQMIQIo.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        74⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIYMgQcI.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        72⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:5924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:5496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkAcIUMc.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        70⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukMsUgYc.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        68⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqIsQkwI.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        66⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:5720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:5712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQQoEQkg.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        64⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:5472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGYwsowg.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        62⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSkUAQsk.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        60⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISIAAogs.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        58⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYMcwQMg.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        56⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmAEcMgI.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        54⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RiAgcgAQ.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        52⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies registry key
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQcgUwYo.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        50⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkYkgMII.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        48⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xWokkowE.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        46⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        Modifies registry key
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qAYMMwUg.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        44⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\toQgkckk.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        42⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xowQYIcE.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        40⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSAQwAAI.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        38⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zycEwUww.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        36⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies registry key
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQAYEEgo.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        34⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqgwQIYg.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        32⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dacIUgUU.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        30⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aeMMAoEQ.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        28⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OowosAwI.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        26⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCIEwsUY.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        24⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQQQEMMg.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        22⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GeMUAgEM.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        20⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oQMMAgIE.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        18⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAUUIckc.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        16⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies registry key
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmkYQksw.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        14⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kggcwckU.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        12⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEsosIMg.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        10⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies registry key
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCskMoUA.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        8⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3496
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3108
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4972
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:3232
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HcEAEMog.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
        6⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:5088
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:988
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1948
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OoAIIwEc.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
      4⤵
      PID:2120
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1812
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:648
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1180
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nIMwUYsI.bat" "C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5.exe""
  2⤵
  PID:4984
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5756

C:\ProgramData\SMUUAYko\HIsUEIME.exe
C:\ProgramData\SMUUAYko\HIsUEIME.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HuwkIAUE\sAQMwYss.exe

Filesize
430KB

MD5
ad5838a18aa61bddaeed146f6af5a027

SHA1
aea1667d2cdc175a083afef60e6ae9ab85273d0c

SHA256
c8a1d1182932b3b0075f79b09c4eb5db87920ec8111df6c567ca3e5f8aad5093

SHA512
6a47ba30081a4ef80816fc85cd19561f8487373331f9693a53c6d13877320f698117e880de509b1a1d4c1e5fca4ff7b3b69397e145a4abe1441e9fb85e6a4c0d

Download Submit
C:\ProgramData\HuwkIAUE\sAQMwYss.exe

Filesize
430KB

MD5
ad5838a18aa61bddaeed146f6af5a027

SHA1
aea1667d2cdc175a083afef60e6ae9ab85273d0c

SHA256
c8a1d1182932b3b0075f79b09c4eb5db87920ec8111df6c567ca3e5f8aad5093

SHA512
6a47ba30081a4ef80816fc85cd19561f8487373331f9693a53c6d13877320f698117e880de509b1a1d4c1e5fca4ff7b3b69397e145a4abe1441e9fb85e6a4c0d

Download Submit
C:\ProgramData\SMUUAYko\HIsUEIME.exe

Filesize
437KB

MD5
13d54675355cb4b9051c4ff441e96707

SHA1
08d50d7441ba1bf4fa1d00d6e5fd7d168b45ad37

SHA256
a9cebb555befd2064617050ec16549abdd9c3d9cf4530ecb89f76d035646b78a

SHA512
3180b468fe601224ecb95b10cafa25eef57263795538fbd5e953a7e6b22b13a31fa11d9324ee5f5457945ac376491226916fda528f920c672dd793bc855926ad

Download Submit
C:\ProgramData\SMUUAYko\HIsUEIME.exe

Filesize
437KB

MD5
13d54675355cb4b9051c4ff441e96707

SHA1
08d50d7441ba1bf4fa1d00d6e5fd7d168b45ad37

SHA256
a9cebb555befd2064617050ec16549abdd9c3d9cf4530ecb89f76d035646b78a

SHA512
3180b468fe601224ecb95b10cafa25eef57263795538fbd5e953a7e6b22b13a31fa11d9324ee5f5457945ac376491226916fda528f920c672dd793bc855926ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQQQEMMg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GeMUAgEM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcEAEMog.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NCIEwsUY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoAIIwEc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OowosAwI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PqgwQIYg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VEsosIMg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAUUIckc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\aeMMAoEQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1d49c6baee7cf34972d0315a426034016e24a9e976d52df0427618746becce5

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmkYQksw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\dSAQwAAI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\dacIUgUU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eCskMoUA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hQAYEEgo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kggcwckU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQMMAgIE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAYMMwUg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\toQgkckk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xowQYIcE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zycEwUww.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\HqMQIscg\wmYoowUI.exe

Filesize
432KB

MD5
831b4c888e200a3da9c3dc0389b469eb

SHA1
7478f233a7323dbf8df2879f924a7e449a0e292c

SHA256
aeb722b90040ffe994fb147418b73e70350a4183c4585e8a5fd4d3bfc7fd8403

SHA512
fec3642df93f9aefc205a381f7bdec5b432846a6734ba8dac866cebefa2b42c51ccbb80344ddd520444ede283c01ce0148ac156c0ff1a0eb0f3a7bfceb29701b

Download Submit
C:\Users\Admin\HqMQIscg\wmYoowUI.exe

Filesize
432KB

MD5
831b4c888e200a3da9c3dc0389b469eb

SHA1
7478f233a7323dbf8df2879f924a7e449a0e292c

SHA256
aeb722b90040ffe994fb147418b73e70350a4183c4585e8a5fd4d3bfc7fd8403

SHA512
fec3642df93f9aefc205a381f7bdec5b432846a6734ba8dac866cebefa2b42c51ccbb80344ddd520444ede283c01ce0148ac156c0ff1a0eb0f3a7bfceb29701b

Download Submit
memory/388-302-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/388-301-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/480-303-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/480-304-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/772-251-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/772-253-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/772-305-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1004-157-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1004-192-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1192-196-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1192-178-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1260-306-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1260-307-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1280-132-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1280-133-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1604-238-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1604-243-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1700-276-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1788-143-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1788-259-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1944-177-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1944-194-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2036-300-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2140-280-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2176-195-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2176-176-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2356-312-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2356-313-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2372-257-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3156-144-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3224-284-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3692-308-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3692-156-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3692-193-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3724-291-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3744-309-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3744-310-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3756-267-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3756-287-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3756-234-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3756-289-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3756-216-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4076-262-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4076-264-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4372-311-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4432-323-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4496-142-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4496-258-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4916-248-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4952-269-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4956-197-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4956-208-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5024-217-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5024-222-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5052-297-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5096-321-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5096-322-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5156-319-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5216-315-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5216-314-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5444-316-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5444-317-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5548-320-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5696-318-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download