b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a

Analysis

max time kernel
166s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
Size

491KB
MD5

66ab374f3df96bf4e1f471d50b6d67a0
SHA1

cc35340e17e2adb066f1cfe58d2d194d0a87c2f2
SHA256

b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
SHA512

5e953c2ba7d1a090ef5661e1d8768de93b932df466578d89fa3fa3eebb00bccaf70c3246e92edbf4bf0eca8574524818c1802f9d676ee84ab94ab5e086a515db
SSDEEP

12288:mlHkkfPV9Ba2JiyC4bniHx7l9hRabnTWhx8U8z:mikfzBafyCg0l9Puahx2

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\XcskMggo\\qCgwkYQg.exe,"	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\XcskMggo\\qCgwkYQg.exe,"	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
5004	goYMkcco.exe
3668	qCgwkYQg.exe
1108	IGkIUQkM.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	qCgwkYQg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goYMkcco.exe = "C:\\Users\\Admin\\SUosgkIU\\goYMkcco.exe"	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goYMkcco.exe = "C:\\Users\\Admin\\SUosgkIU\\goYMkcco.exe"	goYMkcco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qCgwkYQg.exe = "C:\\ProgramData\\XcskMggo\\qCgwkYQg.exe"	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qCgwkYQg.exe = "C:\\ProgramData\\XcskMggo\\qCgwkYQg.exe"	qCgwkYQg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qCgwkYQg.exe = "C:\\ProgramData\\XcskMggo\\qCgwkYQg.exe"	IGkIUQkM.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sheDisableWrite.png	qCgwkYQg.exe
File opened for modification	C:\Windows\SysWOW64\sheImportFormat.zip	qCgwkYQg.exe
File opened for modification	C:\Windows\SysWOW64\sheSwitchConnect.docx	qCgwkYQg.exe
File opened for modification	C:\Windows\SysWOW64\sheUninstallPush.png	qCgwkYQg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\SUosgkIU	IGkIUQkM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\SUosgkIU\goYMkcco	IGkIUQkM.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	qCgwkYQg.exe
File opened for modification	C:\Windows\SysWOW64\sheConvertFromRename.ppt	qCgwkYQg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2860	reg.exe
5040	reg.exe
4060	reg.exe
1816	reg.exe
1580	reg.exe
3588	reg.exe
4088	reg.exe
2268	reg.exe
4244	reg.exe
1508	reg.exe
4060	reg.exe
4720	reg.exe
2368	reg.exe
4576	reg.exe
2432	reg.exe
1676	reg.exe
1144	reg.exe
3604	reg.exe
800	reg.exe
3236	reg.exe
4344	reg.exe
4056	reg.exe
3488	reg.exe
3296	reg.exe
2400	reg.exe
4460	reg.exe
4784	reg.exe
1328	reg.exe
424	reg.exe
1940	reg.exe
4228	reg.exe
2720	reg.exe
4192	reg.exe
956	reg.exe
4444	reg.exe
380	reg.exe
2084	reg.exe
4232	reg.exe
112	reg.exe
956	reg.exe
3324	reg.exe
4784	reg.exe
2116	reg.exe
3204	reg.exe
3092	reg.exe
1536	reg.exe
1688	reg.exe
2256	reg.exe
112	reg.exe
908	reg.exe
388	reg.exe
1904	reg.exe
2460	reg.exe
3416	reg.exe
1064	reg.exe
3536	reg.exe
444	reg.exe
1100	reg.exe
2528	reg.exe
1420	reg.exe
5000	reg.exe
3712	reg.exe
956	reg.exe
1852	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5052	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
5052	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
5052	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
5052	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
1736	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
1736	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
1736	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
1736	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
536	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
536	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
536	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
536	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
3080	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
3080	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
3080	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
3080	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
2528	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
2528	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
2528	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
2528	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
632	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
632	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
632	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
632	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
2364	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
2364	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
2364	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
2364	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
2988	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
2988	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
2988	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
2988	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
3736	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
3736	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
3736	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
3736	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
1032	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
1032	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
1032	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
1032	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
2040	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
2040	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
2040	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
2040	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
4076	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
4076	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
4076	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
4076	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
4280	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
4280	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
4280	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
4280	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
4132	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
4132	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
4132	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
4132	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
4584	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
4584	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
4584	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
4584	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
4792	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
4792	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
4792	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
4792	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3668	qCgwkYQg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe
3668	qCgwkYQg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 5004	5052	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	81
PID 5052 wrote to memory of 5004	5052	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	81
PID 5052 wrote to memory of 5004	5052	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	81
PID 5052 wrote to memory of 3668	5052	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	82
PID 5052 wrote to memory of 3668	5052	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	82
PID 5052 wrote to memory of 3668	5052	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	82
PID 5052 wrote to memory of 1180	5052	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	84
PID 5052 wrote to memory of 1180	5052	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	84
PID 5052 wrote to memory of 1180	5052	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	84
PID 1180 wrote to memory of 1736	1180	cmd.exe	86
PID 1180 wrote to memory of 1736	1180	cmd.exe	86
PID 1180 wrote to memory of 1736	1180	cmd.exe	86
PID 5052 wrote to memory of 2256	5052	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	87
PID 5052 wrote to memory of 2256	5052	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	87
PID 5052 wrote to memory of 2256	5052	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	87
PID 5052 wrote to memory of 4736	5052	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	88
PID 5052 wrote to memory of 4736	5052	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	88
PID 5052 wrote to memory of 4736	5052	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	88
PID 5052 wrote to memory of 1972	5052	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	90
PID 5052 wrote to memory of 1972	5052	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	90
PID 5052 wrote to memory of 1972	5052	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	90
PID 1736 wrote to memory of 4396	1736	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	93
PID 1736 wrote to memory of 4396	1736	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	93
PID 1736 wrote to memory of 4396	1736	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	93
PID 4396 wrote to memory of 536	4396	cmd.exe	95
PID 4396 wrote to memory of 536	4396	cmd.exe	95
PID 4396 wrote to memory of 536	4396	cmd.exe	95
PID 1736 wrote to memory of 3228	1736	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	96
PID 1736 wrote to memory of 3228	1736	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	96
PID 1736 wrote to memory of 3228	1736	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	96
PID 1736 wrote to memory of 716	1736	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	98
PID 1736 wrote to memory of 716	1736	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	98
PID 1736 wrote to memory of 716	1736	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	98
PID 1736 wrote to memory of 3912	1736	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	100
PID 1736 wrote to memory of 3912	1736	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	100
PID 1736 wrote to memory of 3912	1736	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	100
PID 1736 wrote to memory of 912	1736	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	102
PID 1736 wrote to memory of 912	1736	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	102
PID 1736 wrote to memory of 912	1736	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	102
PID 536 wrote to memory of 2436	536	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	104
PID 536 wrote to memory of 2436	536	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	104
PID 536 wrote to memory of 2436	536	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	104
PID 2436 wrote to memory of 3080	2436	cmd.exe	106
PID 2436 wrote to memory of 3080	2436	cmd.exe	106
PID 2436 wrote to memory of 3080	2436	cmd.exe	106
PID 536 wrote to memory of 3152	536	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	107
PID 536 wrote to memory of 3152	536	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	107
PID 536 wrote to memory of 3152	536	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	107
PID 536 wrote to memory of 4492	536	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	108
PID 536 wrote to memory of 4492	536	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	108
PID 536 wrote to memory of 4492	536	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	108
PID 536 wrote to memory of 3016	536	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	110
PID 536 wrote to memory of 3016	536	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	110
PID 536 wrote to memory of 3016	536	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	110
PID 536 wrote to memory of 4924	536	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	111
PID 536 wrote to memory of 4924	536	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	111
PID 536 wrote to memory of 4924	536	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	111
PID 3080 wrote to memory of 3144	3080	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	115
PID 3080 wrote to memory of 3144	3080	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	115
PID 3080 wrote to memory of 3144	3080	b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe	115
PID 4924 wrote to memory of 1884	4924	cmd.exe	117
PID 4924 wrote to memory of 1884	4924	cmd.exe	117
PID 4924 wrote to memory of 1884	4924	cmd.exe	117
PID 912 wrote to memory of 3272	912	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
"C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Users\Admin\SUosgkIU\goYMkcco.exe
  "C:\Users\Admin\SUosgkIU\goYMkcco.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5004
- C:\ProgramData\XcskMggo\qCgwkYQg.exe
  "C:\ProgramData\XcskMggo\qCgwkYQg.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
    C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4396
    - - C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:536
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        8⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        10⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        12⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        14⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        16⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        18⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        20⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        22⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        24⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        26⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        28⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        30⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        32⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        33⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        34⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        35⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        36⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        37⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        38⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        39⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        40⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        41⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        42⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        43⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        44⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        45⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        46⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        47⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        48⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        49⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        50⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        51⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        52⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        53⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        54⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        55⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        56⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        57⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        58⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        59⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        60⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        61⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        62⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        63⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        64⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        65⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        66⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        67⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        68⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        69⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        70⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        71⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        72⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        73⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        74⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        75⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        76⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        77⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        78⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        79⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        80⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        81⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        82⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        83⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        84⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        85⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        86⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        87⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        88⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        89⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        90⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        91⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        92⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        93⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        94⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        95⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        96⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        97⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        98⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        99⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        100⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        101⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        102⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        103⤵
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        104⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        105⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        106⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        107⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        108⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        109⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        110⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        111⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        112⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        113⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        114⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        115⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        116⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        117⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        118⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        119⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        120⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        121⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        122⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        123⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        124⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        125⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        126⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        127⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        128⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        129⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        130⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        131⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        132⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        133⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        134⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        135⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        136⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        137⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        138⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        139⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        140⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        141⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        142⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        143⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        144⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        145⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        146⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        147⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        148⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        149⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        150⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        151⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        152⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        153⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        154⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        155⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        156⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        157⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        158⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        159⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        160⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        161⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        162⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        163⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        164⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        165⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        166⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        167⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        168⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        169⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        170⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        171⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        172⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        173⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        174⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        175⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        176⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        177⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        178⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        179⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        180⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        181⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        182⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        183⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        184⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        185⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        186⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        187⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        188⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        189⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        190⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        191⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        192⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        193⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        194⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        195⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        196⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        197⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        198⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        199⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        200⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        201⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        202⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        203⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        204⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        205⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        206⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        207⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        208⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        209⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        210⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        211⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        212⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        213⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        214⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        215⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        216⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        217⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        218⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        219⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        220⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        221⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        222⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        223⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        224⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        225⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        226⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        227⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        228⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        229⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        230⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        231⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        232⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        233⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        234⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        235⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        236⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        237⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        238⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        239⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        240⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        241⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        242⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        243⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        244⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        245⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        246⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        247⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        248⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        249⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        250⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        251⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        252⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        253⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        254⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        255⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        256⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        257⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        258⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        259⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        260⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        261⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        262⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        263⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        264⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        265⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        266⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        267⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        268⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        269⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        270⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        271⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        272⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        273⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        274⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        275⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        276⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        277⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        278⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        279⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        280⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        281⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        282⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        283⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        284⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        285⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        286⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        287⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        288⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        289⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        290⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a
        291⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a"
        292⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EkYQocIY.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        292⤵
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        292⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        292⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        292⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        290⤵
        UAC bypass
        Modifies registry key
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pkgcsAQQ.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        290⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        291⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        290⤵
        Modifies registry key
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        290⤵
        Modifies registry key
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        288⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        288⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEYAksAg.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        288⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        289⤵
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        288⤵
        UAC bypass
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        286⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        286⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        286⤵
        UAC bypass
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuQokkEU.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        286⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        287⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lusIwEwE.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        284⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        285⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        284⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        284⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        284⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYEkMMwQ.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        282⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        283⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        282⤵
        UAC bypass
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        282⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        282⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        280⤵
        Modifies registry key
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        280⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsEAIAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        280⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        281⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        280⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEIgwkUU.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        278⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        279⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        278⤵
        Modifies registry key
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        278⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        278⤵
        Modifies registry key
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FesAwAUs.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        276⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        277⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        276⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        276⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        276⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        274⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        274⤵
        Modifies registry key
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        274⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yUkAwwQw.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        274⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        275⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        272⤵
        UAC bypass
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        272⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        272⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsQwgIUA.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        272⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        273⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYwgoQAQ.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        270⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        271⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        270⤵
        UAC bypass
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        270⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmQoEQgk.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        268⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        269⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BaEMcQQA.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        266⤵
        
        PID:524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        267⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        UAC bypass
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DiUAYwEM.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        264⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        Modifies registry key
        
        PID:424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        Modifies registry key
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwgQMskQ.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        262⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        Modifies registry key
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWEMoYYs.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        260⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sKsQUMYg.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        258⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        Modifies registry key
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boAwAccw.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        256⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQwAQccA.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        254⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOMMUIUo.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        252⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        Modifies registry key
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        Modifies registry key
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKssccMU.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        250⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqgYocQQ.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        248⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYwgQMUE.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        246⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        Modifies registry key
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqEgMYsE.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        244⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWkgoYEM.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        242⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcsgsIQA.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        240⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMgQQYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        238⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        Modifies registry key
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\maMsckAk.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        236⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsUAcUMc.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        234⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vQIooAgc.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        232⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:3088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        Modifies registry key
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hiwoYIAI.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        230⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        Modifies registry key
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwwEsMss.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        228⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SugIMYEk.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        226⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yisEkAso.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        224⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EaEgQwIU.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        222⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        Modifies registry key
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEYUwAwo.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        220⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKEwkUok.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        218⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fScgcksI.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        216⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncssAEsw.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        214⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EsswAsQs.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        212⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        Modifies registry key
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diIgQsIY.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        210⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        Modifies registry key
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies registry key
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqAcYUUI.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        208⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcEEwIgs.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        206⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        Modifies registry key
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        Modifies registry key
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMMUwYgU.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        204⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWMoAUEs.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        202⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CaksgoYo.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        200⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycscQcQk.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        198⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euQAYwIg.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        196⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQcgogAE.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        194⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwwAEYos.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        192⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZmMAkIos.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        190⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEcYgAMI.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        188⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JeoIkUgc.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        186⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies registry key
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aoQUcoMA.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        184⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWoAYook.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        182⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jyQUoscM.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        180⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sawMkEQc.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        178⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IswIYsMY.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        176⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iygQAcEI.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        174⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        Modifies registry key
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQwcYAIg.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        172⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMAgokEY.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        170⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jogUsgQQ.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        168⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        Modifies registry key
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tiscEUME.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        166⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yAYsYMIg.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        164⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        Modifies registry key
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VyggYMQs.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        162⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWYkQAMs.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        160⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYAwcEYw.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        158⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        Modifies registry key
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        Modifies registry key
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmMogYkg.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        156⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tuwkAwYE.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        154⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        Modifies registry key
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kagIIYAk.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        152⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwwsQMIA.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        150⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        Modifies registry key
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hoskcAEk.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        148⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsYYIEEM.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        146⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sggUIssw.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        144⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gyYwksMc.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        142⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        Modifies registry key
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies registry key
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWAMYwUE.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        140⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGcsksIA.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        138⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAYwsgEk.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        136⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOYkAMQE.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        134⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies registry key
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYYEoMww.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        132⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICcYIskU.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        130⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAIIgAYA.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        128⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkMcwsQQ.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        126⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKgEkUIQ.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        124⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noMMsIQw.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        122⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAQwgQws.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        120⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kaQsgAEU.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        118⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        Modifies registry key
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iwgYsMow.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        116⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCkMcAkc.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        114⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tyYwcIEI.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        112⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies registry key
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAYIAkEg.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        110⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        Modifies registry key
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKQEMosc.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        108⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEUEAAko.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        106⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IksgUAwk.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        104⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaYsEQcY.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        102⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEAUEUkU.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        100⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        Modifies registry key
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqMgkoAU.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        98⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        Modifies registry key
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\duYIEAQg.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        96⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\laMUMUcM.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        94⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BoYwYEcw.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        92⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies registry key
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwsYYwcA.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        90⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqAMUkEo.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        88⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWMgYQYA.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        86⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWYQsksE.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        84⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCkkgwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        82⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWowgMYE.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        80⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iqYoQMoA.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        78⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOsMQQoY.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        76⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        Modifies registry key
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIMEMcUY.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        74⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies registry key
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMUUsMgg.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        72⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAoQUEQc.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        70⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkQQQMYA.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        68⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkIUswsY.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        66⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyEIwocI.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        64⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qcMEkEAc.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        62⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CgIcgEgg.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        60⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGgAwgck.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        58⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEQkQkgY.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        56⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQcYMIUg.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        54⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jycYokok.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        52⤵
        
        PID:524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqEgEgks.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        50⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XAwswosQ.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        48⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOkoAIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        46⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oswgEAEE.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        44⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMoIIQUc.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        42⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiMwcUsA.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        40⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HkUAgoks.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        38⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        Modifies registry key
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuoAwUsk.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        36⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYAcwMEU.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        34⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAoMkwUg.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        32⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUkAgoYY.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        30⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOAwIIME.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        28⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOYMssYA.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        26⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCEYAwgs.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        24⤵
        
        PID:424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyAgkAIE.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        22⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuYcwIIA.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        20⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOogkgkA.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        18⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UosoQkMU.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        16⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWkYEkgQ.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        14⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcwQMUow.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        12⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGEQwscQ.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        10⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reoogkIE.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        8⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2200
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3152
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4492
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:3016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkQUocQQ.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1884
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3228
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:716
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQoUcQUg.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:912
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3272
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2256
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4736
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgcMYkkg.bat" "C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a.exe""
  2⤵
  PID:2108
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2496

C:\ProgramData\assscIws\IGkIUQkM.exe
C:\ProgramData\assscIws\IGkIUQkM.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\XcskMggo\qCgwkYQg.exe

Filesize
483KB

MD5
c74b2e39dfa70768a87ba6c0b2b527a4

SHA1
9c1f651a902f5f96899066b3d314f2cc2d1fe9d7

SHA256
8cf573649bd77ea761e1126875a5af265ff891356ca857c3c47d6b6d713a94a6

SHA512
bb7a0c2c4c7570cb4c89b840c930ed0eaa567d72984065f2d2a4f6cd55c2e76fa917d596197e2a9a0707dabf48549a2455bb23f3c677336a3410f6fbe9a158a6

Download Submit
C:\ProgramData\XcskMggo\qCgwkYQg.exe

Filesize
483KB

MD5
c74b2e39dfa70768a87ba6c0b2b527a4

SHA1
9c1f651a902f5f96899066b3d314f2cc2d1fe9d7

SHA256
8cf573649bd77ea761e1126875a5af265ff891356ca857c3c47d6b6d713a94a6

SHA512
bb7a0c2c4c7570cb4c89b840c930ed0eaa567d72984065f2d2a4f6cd55c2e76fa917d596197e2a9a0707dabf48549a2455bb23f3c677336a3410f6fbe9a158a6

Download Submit
C:\ProgramData\assscIws\IGkIUQkM.exe

Filesize
479KB

MD5
8d119aff3d1aafbb6b6cf45b4f877346

SHA1
a1e9640ef1ce8b35136fb933ea452e3eeb24bc63

SHA256
c9391aace82a88189bdeb79576a769c3137ba95d75ae361e0e4dbe8dc7cf3863

SHA512
0ee5a61bfe6e0ccd351c56af717d0cc204d48a47e23283e6faac3e3f5566a2f69afa1b6b266f14253a7c4776921105e5933d06f521ba336579e0b769aba6f7ef

Download Submit
C:\ProgramData\assscIws\IGkIUQkM.exe

Filesize
479KB

MD5
8d119aff3d1aafbb6b6cf45b4f877346

SHA1
a1e9640ef1ce8b35136fb933ea452e3eeb24bc63

SHA256
c9391aace82a88189bdeb79576a769c3137ba95d75ae361e0e4dbe8dc7cf3863

SHA512
0ee5a61bfe6e0ccd351c56af717d0cc204d48a47e23283e6faac3e3f5566a2f69afa1b6b266f14253a7c4776921105e5933d06f521ba336579e0b769aba6f7ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\DWkYEkgQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkUAgoks.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JOYMssYA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NOogkgkA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NYAcwMEU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QOAwIIME.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkQUocQQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SGEQwscQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UosoQkMU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VuYcwIIA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WiMwcUsA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2e11f3d169e554a69f6a457cc4629f75eae8b49c5e745f56546c248f140697a

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQoUcQUg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUkAgoYY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcwQMUow.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAoMkwUg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rCEYAwgs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\reoogkIE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuoAwUsk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyAgkAIE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\SUosgkIU\goYMkcco.exe

Filesize
480KB

MD5
7317e89344ab4a2f2e775cf1a6f3f12f

SHA1
b867d68baadad04e00ce8c201650ca11e0315492

SHA256
7322c9598c72aaf0cc8ebf09dbac510e4e5a361487ff24a232e65adf21b5e5d8

SHA512
a74bbd4c13f512406c1a8c85070badb9dd37d54b456997bc2221bf1b423256ea80922615885ff7b5101831efb3d8059666a3556b198404c71e0b9bf6616c7c9f

Download Submit
C:\Users\Admin\SUosgkIU\goYMkcco.exe

Filesize
480KB

MD5
7317e89344ab4a2f2e775cf1a6f3f12f

SHA1
b867d68baadad04e00ce8c201650ca11e0315492

SHA256
7322c9598c72aaf0cc8ebf09dbac510e4e5a361487ff24a232e65adf21b5e5d8

SHA512
a74bbd4c13f512406c1a8c85070badb9dd37d54b456997bc2221bf1b423256ea80922615885ff7b5101831efb3d8059666a3556b198404c71e0b9bf6616c7c9f

Download Submit
memory/536-166-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/632-197-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/632-202-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1032-242-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1052-313-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1108-146-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1484-303-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1536-294-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1536-293-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1736-157-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1808-309-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2008-295-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2040-301-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2040-247-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2268-317-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2364-213-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2412-314-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2528-190-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2540-324-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2860-300-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2988-223-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3016-307-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3016-308-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3080-176-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3080-178-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3316-273-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3536-297-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3536-306-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3536-305-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3560-321-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3668-285-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3668-145-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3736-239-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3736-229-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4016-311-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4016-310-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4072-286-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4072-288-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4076-248-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4076-250-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4116-318-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4132-259-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4280-256-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4284-304-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4284-296-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4432-316-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4432-315-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4532-299-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4532-298-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4584-265-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4716-323-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4716-322-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4720-302-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4792-268-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4824-276-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4924-312-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5000-282-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5004-277-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5004-137-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5052-319-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5052-260-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5052-133-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5060-292-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5116-320-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download