7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341

Analysis

max time kernel
190s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
Size

465KB
MD5

69e8f1c4b3895768e91d4a466f78bcb0
SHA1

42b8b8613db7462fde9d6d5c5a483033ece10969
SHA256

7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
SHA512

6a099951e4dd3e828279629f3ad2b5a53434c74fbf9a8f01b512909a52fd789a371805dacaca69cd7303a088e1a015804519d1617e9519180903e134fae2019f
SSDEEP

12288:zQuawXWkQGWkLyZYrhRwngXdht5Uas4xELN3iNc:z4wmb1kLPr3wgLPU7gELxMc

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
4424	ryQQUEAI.exe
4808	eOkEokoQ.exe
4792	WoAMEYUU.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eOkEokoQ.exe = "C:\\ProgramData\\uUowwUIE\\eOkEokoQ.exe"	eOkEokoQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eOkEokoQ.exe = "C:\\ProgramData\\uUowwUIE\\eOkEokoQ.exe"	WoAMEYUU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GUsQEMco.exe = "C:\\Users\\Admin\\baQcEMMk\\GUsQEMco.exe"	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gmMgcIIw.exe = "C:\\ProgramData\\SMgIwYko\\gmMgcIIw.exe"	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ryQQUEAI.exe = "C:\\Users\\Admin\\gqMggAck\\ryQQUEAI.exe"	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ryQQUEAI.exe = "C:\\Users\\Admin\\gqMggAck\\ryQQUEAI.exe"	ryQQUEAI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eOkEokoQ.exe = "C:\\ProgramData\\uUowwUIE\\eOkEokoQ.exe"	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\gqMggAck\ryQQUEAI	WoAMEYUU.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	ryQQUEAI.exe
File opened for modification	C:\Windows\SysWOW64\sheSetConnect.jpg	ryQQUEAI.exe
File opened for modification	C:\Windows\SysWOW64\sheSetDisable.ppt	ryQQUEAI.exe
File opened for modification	C:\Windows\SysWOW64\sheUnpublishGroup.jpg	ryQQUEAI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\gqMggAck	WoAMEYUU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4148	3296	WerFault.exe	1578
644	1340	WerFault.exe	1576
5032	1084	WerFault.exe	1581

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4280	reg.exe
1352	Process not Found
5008	reg.exe
2136	reg.exe
4504	reg.exe
1072	reg.exe
1168	reg.exe
2760	reg.exe
1732	Process not Found
4856	Process not Found
3476	reg.exe
1816	reg.exe
5116	reg.exe
3416	reg.exe
2108	reg.exe
3912	Process not Found
3968	Process not Found
3292	Process not Found
2520	reg.exe
2184	reg.exe
2548	reg.exe
3604	reg.exe
1344	reg.exe
4228	Process not Found
2680	Process not Found
1344	Process not Found
3504	reg.exe
3292	reg.exe
4080	reg.exe
480	reg.exe
3664	reg.exe
1952	reg.exe
1592	reg.exe
3872	reg.exe
2580	reg.exe
2448	reg.exe
4020	reg.exe
3088	reg.exe
448	Process not Found
2400	Process not Found
3132	reg.exe
4688	reg.exe
4964	reg.exe
816	reg.exe
4884	Process not Found
4912	reg.exe
3704	reg.exe
2084	reg.exe
4544	Process not Found
4560	reg.exe
4116	reg.exe
2468	Process not Found
2172	reg.exe
5116	reg.exe
224	reg.exe
1884	reg.exe
1400	reg.exe
4688	Process not Found
3932	Process not Found
2120	Process not Found
2708	reg.exe
3912	reg.exe
620	reg.exe
3616	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3856	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
3856	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
3856	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
3856	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
692	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
692	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
692	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
692	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
3076	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
3076	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
3076	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
3076	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
3476	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
3476	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
3476	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
3476	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
3012	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
3012	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
3012	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
3012	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
1824	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
1824	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
1824	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
1824	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
968	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
968	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
968	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
968	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
1504	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
1504	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
1504	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
1504	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
1592	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
1592	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
1592	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
1592	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
2692	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
2692	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
2692	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
2692	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
2468	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
2468	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
2468	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
2468	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
1660	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
1660	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
1660	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
1660	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
1388	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
1388	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
1388	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
1388	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
3080	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
3080	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
3080	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
3080	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
3844	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
3844	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
3844	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
3844	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
2924	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
2924	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
2924	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
2924	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3856 wrote to memory of 4424	3856	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	81
PID 3856 wrote to memory of 4424	3856	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	81
PID 3856 wrote to memory of 4424	3856	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	81
PID 3856 wrote to memory of 4808	3856	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	82
PID 3856 wrote to memory of 4808	3856	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	82
PID 3856 wrote to memory of 4808	3856	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	82
PID 3856 wrote to memory of 5044	3856	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	84
PID 3856 wrote to memory of 5044	3856	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	84
PID 3856 wrote to memory of 5044	3856	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	84
PID 3856 wrote to memory of 4500	3856	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	85
PID 3856 wrote to memory of 4500	3856	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	85
PID 3856 wrote to memory of 4500	3856	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	85
PID 3856 wrote to memory of 2028	3856	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	91
PID 3856 wrote to memory of 2028	3856	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	91
PID 3856 wrote to memory of 2028	3856	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	91
PID 3856 wrote to memory of 2596	3856	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	90
PID 3856 wrote to memory of 2596	3856	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	90
PID 3856 wrote to memory of 2596	3856	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	90
PID 5044 wrote to memory of 692	5044	cmd.exe	92
PID 5044 wrote to memory of 692	5044	cmd.exe	92
PID 5044 wrote to memory of 692	5044	cmd.exe	92
PID 692 wrote to memory of 3700	692	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	94
PID 692 wrote to memory of 3700	692	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	94
PID 692 wrote to memory of 3700	692	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	94
PID 3700 wrote to memory of 3076	3700	cmd.exe	95
PID 3700 wrote to memory of 3076	3700	cmd.exe	95
PID 3700 wrote to memory of 3076	3700	cmd.exe	95
PID 692 wrote to memory of 224	692	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	96
PID 692 wrote to memory of 224	692	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	96
PID 692 wrote to memory of 224	692	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	96
PID 692 wrote to memory of 1288	692	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	103
PID 692 wrote to memory of 1288	692	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	103
PID 692 wrote to memory of 1288	692	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	103
PID 692 wrote to memory of 3896	692	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	101
PID 692 wrote to memory of 3896	692	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	101
PID 692 wrote to memory of 3896	692	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	101
PID 692 wrote to memory of 1072	692	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	100
PID 692 wrote to memory of 1072	692	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	100
PID 692 wrote to memory of 1072	692	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	100
PID 3076 wrote to memory of 4704	3076	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	105
PID 3076 wrote to memory of 4704	3076	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	105
PID 3076 wrote to memory of 4704	3076	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	105
PID 4704 wrote to memory of 3476	4704	cmd.exe	106
PID 4704 wrote to memory of 3476	4704	cmd.exe	106
PID 4704 wrote to memory of 3476	4704	cmd.exe	106
PID 3076 wrote to memory of 4024	3076	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	107
PID 3076 wrote to memory of 4024	3076	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	107
PID 3076 wrote to memory of 4024	3076	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	107
PID 3076 wrote to memory of 3564	3076	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	114
PID 3076 wrote to memory of 3564	3076	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	114
PID 3076 wrote to memory of 3564	3076	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	114
PID 3076 wrote to memory of 3996	3076	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	112
PID 3076 wrote to memory of 3996	3076	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	112
PID 3076 wrote to memory of 3996	3076	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	112
PID 3076 wrote to memory of 3748	3076	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	109
PID 3076 wrote to memory of 3748	3076	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	109
PID 3076 wrote to memory of 3748	3076	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	109
PID 3476 wrote to memory of 3708	3476	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	116
PID 3476 wrote to memory of 3708	3476	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	116
PID 3476 wrote to memory of 3708	3476	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	116
PID 3476 wrote to memory of 5068	3476	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	117
PID 3476 wrote to memory of 5068	3476	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	117
PID 3476 wrote to memory of 5068	3476	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	117
PID 3476 wrote to memory of 4420	3476	7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe	124

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
"C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Users\Admin\gqMggAck\ryQQUEAI.exe
  "C:\Users\Admin\gqMggAck\ryQQUEAI.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  PID:4424
- C:\ProgramData\uUowwUIE\eOkEokoQ.exe
  "C:\ProgramData\uUowwUIE\eOkEokoQ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
    C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3700
    - - C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3076
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        8⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        10⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        12⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        14⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        16⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        18⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        20⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        22⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        24⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        26⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        28⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        30⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        32⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        33⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        34⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        35⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        36⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        37⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        38⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        39⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        40⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        41⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        42⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        43⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        44⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        45⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        46⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        47⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        48⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        49⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        50⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        51⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        52⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        53⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGIEooQs.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        52⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKYoEkYs.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        50⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gywcEAQs.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        48⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yAQkoEEM.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        46⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOcAQUAc.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        44⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeEwMIUg.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        42⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SeoMEokE.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        40⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XoocEccs.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        38⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQskgIsI.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        36⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgsIsIIE.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        34⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEgAsMYc.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        32⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        34⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OiIcAEQk.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        30⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQQscUEk.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        28⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCsoAsgI.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        26⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies registry key
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        Modifies registry key
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQcYEAEE.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        24⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOYkMYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        22⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGIYcswM.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        20⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        Modifies registry key
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jKoUwQMg.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        18⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YsMYQsUI.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        16⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies registry key
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSgcwogg.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        14⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQcMwgEI.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        12⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:4084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HuwAYsko.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        10⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMwAEkso.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        8⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4420
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:4024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYkQsQUc.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        6⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1936
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:3996
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3564
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NiAwcAQA.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
      4⤵
      PID:1072
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3496
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3896
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1288
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4500
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2596
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQQAAksU.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
  2⤵
  PID:2672
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2456

C:\ProgramData\qOQgwgkk\WoAMEYUU.exe
C:\ProgramData\qOQgwgkk\WoAMEYUU.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
1⤵
PID:2768
- C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
  C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
  2⤵
  PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
    3⤵
    PID:4256
  - - C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
      C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
      4⤵
      PID:2640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        5⤵
        
        PID:4080
      - C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        6⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        7⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wocAwIMQ.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        7⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        
        PID:260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        
        PID:4188
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:2232
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOEgscQI.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        5⤵
        
        PID:3848
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:1848
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:2680
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:4944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAAYAAQs.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
    3⤵
    PID:2540
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:3180
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3140
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICgMQkwo.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
1⤵
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
1⤵
PID:2792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
  2⤵
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
    C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
    3⤵
    PID:3716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
      4⤵
      PID:2704
    - - C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        5⤵
        
        PID:3632
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYAgscgk.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        6⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4532
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:3476
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3232
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2932
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmwMUAsg.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
      4⤵
      PID:4800
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3508
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5068
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2924
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiEMUAYg.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
  2⤵
  PID:3708
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1536
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1592
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4176
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1028
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4916
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
1⤵
PID:1388
- C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
  C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
  2⤵
  PID:3964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
    3⤵
    PID:4164
  - - C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
      C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
      4⤵
      PID:2120
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        5⤵
        
        PID:2184
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        UAC bypass
        
        PID:5072
      - C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        6⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        7⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        8⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        9⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        10⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        11⤵
        
        PID:2036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        UAC bypass
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        12⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        13⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        14⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        15⤵
        
        PID:3432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        16⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        17⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        18⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        19⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        20⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        21⤵
        
        PID:4876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        22⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        23⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        24⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        25⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        27⤵
        
        PID:2208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        28⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        29⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        30⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        31⤵
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        32⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        33⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        34⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        35⤵
        
        PID:1716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        36⤵
        
        PID:240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        37⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        38⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        39⤵
        
        PID:2428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        40⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        40⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        41⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        42⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        43⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        44⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        45⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        46⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        47⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        48⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        49⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        50⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        51⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        52⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        53⤵
        
        PID:1340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        54⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        55⤵
        
        PID:480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        56⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        57⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        58⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        59⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        60⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        61⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        62⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        63⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        64⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        65⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        66⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        67⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        68⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        69⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        70⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        71⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        72⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        73⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        74⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        75⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        76⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        77⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        78⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        79⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        80⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        81⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        82⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        83⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        84⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        85⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        86⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        87⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        88⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        89⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        90⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        91⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        92⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        93⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        94⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        95⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        96⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        97⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        98⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        99⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        100⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        101⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        102⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        103⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        104⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        105⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        106⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        107⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        108⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        109⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        110⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        111⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        112⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        113⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        114⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        115⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        116⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        117⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        118⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        119⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        120⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        121⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        122⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        123⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        124⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        125⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        126⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        127⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        128⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        129⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        130⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        131⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        132⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        133⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        134⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        135⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        136⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        137⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        138⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        139⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        140⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        141⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        142⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        143⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        144⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        145⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        146⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        147⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        148⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        149⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        150⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        151⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        152⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        153⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        154⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        155⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        156⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        157⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        158⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        159⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        160⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        161⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        162⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        163⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        164⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        165⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        166⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        167⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        168⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        169⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        170⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        171⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        172⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        173⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        174⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        175⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        176⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        177⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        178⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        179⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        180⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        181⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        182⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        183⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        184⤵
        Adds Run key to start application
        
        PID:1104
        
        C:\Users\Admin\baQcEMMk\GUsQEMco.exe
        
        "C:\Users\Admin\baQcEMMk\GUsQEMco.exe"
        185⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 264
        186⤵
        Program crash
        
        PID:644
        
        C:\ProgramData\SMgIwYko\gmMgcIIw.exe
        
        "C:\ProgramData\SMgIwYko\gmMgcIIw.exe"
        185⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 360
        186⤵
        Program crash
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        185⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        186⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        187⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        188⤵
        
        PID:240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        189⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        190⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        191⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        192⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        193⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        194⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        195⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        196⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        197⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        198⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        199⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        200⤵
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        201⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        202⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        203⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        204⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        205⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        206⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        207⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        208⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        209⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        210⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        211⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        212⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        213⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        214⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341"
        215⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341
        216⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAkIsIYU.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        213⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        214⤵
        
        PID:240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        213⤵
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        213⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        213⤵
        Modifies registry key
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        211⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCMcMcQs.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        211⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        212⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        211⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        211⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQUsgswE.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        209⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        210⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        209⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        209⤵
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        209⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWoEkEMI.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        207⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        208⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        207⤵
        UAC bypass
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        207⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        207⤵
        Modifies visibility of file extensions in Explorer
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        205⤵
        UAC bypass
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcUwAMwA.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        205⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        206⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        205⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        205⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        203⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwEAMEMs.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        203⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        204⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        203⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        203⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        201⤵
        
        PID:240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUscoAYs.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        201⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        202⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        201⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        201⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        199⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zuMIIUcU.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        199⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        200⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        199⤵
        UAC bypass
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        199⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        197⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQkIQscI.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        197⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        198⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        197⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        197⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEswEEIs.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        195⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        196⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        195⤵
        Modifies registry key
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        195⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        195⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kywEscoc.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        193⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        194⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        193⤵
        UAC bypass
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        193⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        193⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        191⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        191⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        191⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IscQQcIA.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        191⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        192⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIAQkAwk.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        189⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        190⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        189⤵
        UAC bypass
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        189⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        189⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\giwUMokU.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        187⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        188⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        187⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        187⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        187⤵
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        185⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        185⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        185⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        183⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOsAQMEY.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        183⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        184⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        183⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        183⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGMUAgoc.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        181⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        182⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        181⤵
        Modifies registry key
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        181⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        181⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hcscIUQQ.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        179⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        180⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        179⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        179⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        179⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecMMkwkc.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        177⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        178⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        177⤵
        UAC bypass
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        177⤵
        Modifies registry key
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        177⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DiIEQEss.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        175⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        176⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        175⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        175⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        175⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMQQYwsY.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        173⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        174⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        173⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        173⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        173⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIcUwcMk.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        171⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        172⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        171⤵
        UAC bypass
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        171⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        171⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIQggMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        169⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        170⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        169⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        169⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        169⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwYMsIwA.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        167⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        168⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        167⤵
        UAC bypass
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        167⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        167⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        165⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqMUIcQY.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        165⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        166⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        165⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        165⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEYcoYow.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        163⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        164⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        163⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        163⤵
        
        PID:240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        163⤵
        Modifies visibility of file extensions in Explorer
        
        PID:260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DaIUsQQY.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        161⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        162⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        161⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        161⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        161⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMQIoUgI.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        159⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        160⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        159⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        159⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        159⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JKQgEoMI.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        157⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        158⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        157⤵
        UAC bypass
        Modifies registry key
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        157⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        157⤵
        
        PID:480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgEIowMc.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        155⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        156⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        155⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        155⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        155⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        153⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmYYgsYg.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        153⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        154⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        153⤵
        UAC bypass
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        153⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAQwkMQw.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        151⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        152⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        151⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        151⤵
        Modifies registry key
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        151⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        149⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        149⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        149⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WisUEsIk.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        149⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        150⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        147⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        147⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        147⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOQgEMAE.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        147⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        148⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        145⤵
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqwUEsAE.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        145⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        146⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        145⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        145⤵
        
        PID:484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        143⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        143⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euIssEkg.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        143⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        144⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        143⤵
        Modifies registry key
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        141⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        141⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMYgQIws.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        141⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        142⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        141⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSQQoUIo.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        139⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        140⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        139⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        139⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        139⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        137⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSIAEEEQ.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        137⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        138⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        137⤵
        UAC bypass
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        137⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        135⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        135⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        135⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HCwoEUss.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        135⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        136⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TCMkoowE.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        133⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        134⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        133⤵
        Modifies registry key
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        133⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        133⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        131⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bcgcMEMc.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        131⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        132⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        131⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        131⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCAUcskA.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        129⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        130⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        129⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        129⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        129⤵
        Modifies registry key
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        127⤵
        UAC bypass
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        127⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        127⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwcUUgos.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        127⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        128⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        125⤵
        UAC bypass
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jigUQsEo.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        125⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        126⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        125⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        125⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vQogQsco.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        123⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        124⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        123⤵
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        123⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        123⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAsYAoEo.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        121⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        122⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        121⤵
        UAC bypass
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        121⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        121⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AWMEcwIU.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        119⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        120⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        119⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        119⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        119⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        117⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWQAMEwY.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        117⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        118⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        117⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        117⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWUggUwg.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        115⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        116⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        115⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        115⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        115⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EMgIokUc.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        113⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        114⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        113⤵
        UAC bypass
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        113⤵
        Modifies registry key
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        113⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        111⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWgIosAA.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        111⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        112⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        111⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        111⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIAsoEcM.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        109⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        110⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        109⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        109⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        109⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bioogskM.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        107⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        108⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        107⤵
        UAC bypass
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        107⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        107⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYYEcwIg.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        105⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        106⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        105⤵
        UAC bypass
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        105⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        105⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwEsgAIk.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        103⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        104⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        103⤵
        Modifies registry key
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        103⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        103⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmcYAwYo.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        101⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        102⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        101⤵
        UAC bypass
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        101⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        101⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        99⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        99⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        99⤵
        UAC bypass
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSgAUcEI.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        99⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        100⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        97⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        97⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        97⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmowcYAc.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        97⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        98⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkAAsokw.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        95⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        96⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        95⤵
        UAC bypass
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        95⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        95⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gywsssQk.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        93⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        94⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        93⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        93⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        93⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIskEYUs.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        91⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        92⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        91⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        91⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        91⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgMYwwkY.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        89⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        90⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        89⤵
        Modifies registry key
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        89⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        89⤵
        Modifies registry key
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WyMIkEAs.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        87⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        88⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        87⤵
        UAC bypass
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        87⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        87⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZwgsogAE.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        85⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        86⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        85⤵
        UAC bypass
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        85⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        85⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uIAwcIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        83⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        84⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        83⤵
        UAC bypass
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        83⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        83⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEcUwIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        81⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        82⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        81⤵
        UAC bypass
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        81⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        81⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\poUkIYQE.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        79⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        80⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        79⤵
        UAC bypass
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        79⤵
        Modifies registry key
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        79⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSUAEUAg.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        77⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        78⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        77⤵
        UAC bypass
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        77⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        77⤵
        Modifies registry key
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        75⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckIAcwIM.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        75⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        76⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        75⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        75⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKUEkwQs.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        73⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        74⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        73⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        73⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        73⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\veAYkwcY.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        71⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        72⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        71⤵
        Modifies registry key
        
        PID:480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        71⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        71⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMkMgwUI.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        69⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        70⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        69⤵
        UAC bypass
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        69⤵
        Modifies registry key
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        69⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYkAwowA.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        67⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        68⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        67⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        67⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        67⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        65⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWswskQw.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        65⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        66⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        65⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        65⤵
        Modifies registry key
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqIEgkQs.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        63⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        64⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        63⤵
        UAC bypass
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        63⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        63⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        61⤵
        Modifies registry key
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\agUoswos.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        61⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        62⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        61⤵
        Modifies registry key
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        61⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYwwUUME.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        59⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        60⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        59⤵
        UAC bypass
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        59⤵
        Modifies registry key
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        59⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        57⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        57⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McwoskgM.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        57⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        58⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        57⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        55⤵
        
        PID:3296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        55⤵
        UAC bypass
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        55⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOIQwQsc.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        55⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        56⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        53⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nicoscss.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        53⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        54⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        53⤵
        UAC bypass
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        53⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JewYwIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        51⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        52⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        51⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        51⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        51⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGoMYkAk.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        49⤵
        
        PID:3460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        50⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        50⤵
        
        PID:240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        49⤵
        UAC bypass
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        49⤵
        Modifies registry key
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        49⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        47⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        47⤵
        Modifies registry key
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        47⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyAQcUgs.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        47⤵
        
        PID:32
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        48⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sasUIAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        45⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        46⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        45⤵
        
        PID:720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        45⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        45⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        43⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEAIcEEU.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        43⤵
        
        PID:4688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        44⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        44⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        43⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        43⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        41⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYUkgQcw.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        41⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        41⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        41⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        39⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        39⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        39⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKMUwggE.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        39⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        40⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        37⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        37⤵
        Modifies registry key
        
        PID:4080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        37⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUIcIsIk.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        37⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        38⤵
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        35⤵
        
        PID:2564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        35⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        35⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkokYwAU.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        35⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        36⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        33⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgMIMQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        33⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        34⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        33⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        33⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        31⤵
        UAC bypass
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        31⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        31⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyccsEEY.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        31⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        32⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JoUcEIAA.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        29⤵
        
        PID:1796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        30⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        29⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        29⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        29⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAogogMo.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        27⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        28⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        27⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        27⤵
        Modifies registry key
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        27⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQQkUksw.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        25⤵
        
        PID:4188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        26⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        25⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        25⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        25⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IiQEwUYQ.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        23⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        24⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        23⤵
        
        PID:2596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        23⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        23⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        21⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAEwIEAk.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        21⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        22⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        21⤵
        Modifies registry key
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        21⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        19⤵
        
        PID:1396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lyoAUsgU.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        19⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        20⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        19⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        19⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TCcsIMAg.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        17⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        18⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        17⤵
        UAC bypass
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        17⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        17⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        Modifies registry key
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSYocwkI.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        15⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        Modifies registry key
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        UAC bypass
        Modifies registry key
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYcQssEo.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        13⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCAssgks.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        11⤵
        
        PID:2108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsMosUYU.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        9⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkkMIAQw.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        7⤵
        
        PID:4560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        
        PID:1552
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:1868
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:2348
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkUUAMYE.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
        5⤵
        
        PID:2596
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:4720
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:4376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIEoMQAc.bat" "C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341.exe""
    3⤵
    PID:3748
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:816
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:3504
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1340 -ip 1340
1⤵
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3296 -ip 3296
1⤵
PID:1100

C:\ProgramData\RiUQUIQE\rkgEQgEo.exe
C:\ProgramData\RiUQUIQE\rkgEQgEo.exe
1⤵
PID:1084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 376
  2⤵
  - Program crash
  PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1084 -ip 1084
1⤵
PID:4680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qOQgwgkk\WoAMEYUU.exe

Filesize
431KB

MD5
cf8dbeca45cd9362fb6b92411e6afcff

SHA1
1e2515de7fac676ab0b8a9af3dea4842fb73fb3a

SHA256
a1e8ccc8e58e6fe9d7823ef4142e90ee1dd895be70db0c768a9c90c843466708

SHA512
59456a3d1337853e3d43fcbcd6076128b5baa616ea003e60f39d836e8d23bead43730133e038e4ee52ec73f3c6aa49e32f035f96cdb373e87f833ee5bef0f40c

Download Submit
C:\ProgramData\qOQgwgkk\WoAMEYUU.exe

Filesize
431KB

MD5
cf8dbeca45cd9362fb6b92411e6afcff

SHA1
1e2515de7fac676ab0b8a9af3dea4842fb73fb3a

SHA256
a1e8ccc8e58e6fe9d7823ef4142e90ee1dd895be70db0c768a9c90c843466708

SHA512
59456a3d1337853e3d43fcbcd6076128b5baa616ea003e60f39d836e8d23bead43730133e038e4ee52ec73f3c6aa49e32f035f96cdb373e87f833ee5bef0f40c

Download Submit
C:\ProgramData\uUowwUIE\eOkEokoQ.exe

Filesize
429KB

MD5
f26b86836918809f163f7233020a1e98

SHA1
869996c9a96b24aff36d792761833cf2854f913d

SHA256
7f51874dc7e7ed69923cb43f0891cd2f745dbc003d14a7e78ff23c33724559fb

SHA512
7e3962c59eb1bc61173538083b497c2be84c58a686f6c9fdf5e1860f07f547b09f46d9777a9e130ad187de11404f69fef48add274fa07afd66309a309fe4c654

Download Submit
C:\ProgramData\uUowwUIE\eOkEokoQ.exe

Filesize
429KB

MD5
f26b86836918809f163f7233020a1e98

SHA1
869996c9a96b24aff36d792761833cf2854f913d

SHA256
7f51874dc7e7ed69923cb43f0891cd2f745dbc003d14a7e78ff23c33724559fb

SHA512
7e3962c59eb1bc61173538083b497c2be84c58a686f6c9fdf5e1860f07f547b09f46d9777a9e130ad187de11404f69fef48add274fa07afd66309a309fe4c654

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ef84df760a77fc6632ac82069530ea18a9f356bf94951d11bf2c5297e2f4341

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYkQsQUc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQcMwgEI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQQscUEk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HuwAYsko.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEgAsMYc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NiAwcAQA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQskgIsI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OiIcAEQk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QeEwMIUg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeoMEokE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCsoAsgI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XSgcwogg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XoocEccs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsMYQsUI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cOYkMYMQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\dQcYEAEE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hMwAEkso.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\jKoUwQMg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pGIYcswM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgsIsIIE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\gqMggAck\ryQQUEAI.exe

Filesize
430KB

MD5
aa3e98950b1c3005b9dc545f41892f13

SHA1
78a0753635555bcfac3f531e64d74099ac1cd62f

SHA256
d1eb002fc31c9791549cc9d724ba33903998657e86d27aa0a673f0ab5aaeea78

SHA512
4c85f0e6ff73c9e05bb44aa2aa76c605021dd2ca6bbd44f8eeb8899c16271567a1d6cc1f083e7c6b86d8896f39bef03ab3ea557e8f3575c7b073263da3374a1d

Download Submit
C:\Users\Admin\gqMggAck\ryQQUEAI.exe

Filesize
430KB

MD5
aa3e98950b1c3005b9dc545f41892f13

SHA1
78a0753635555bcfac3f531e64d74099ac1cd62f

SHA256
d1eb002fc31c9791549cc9d724ba33903998657e86d27aa0a673f0ab5aaeea78

SHA512
4c85f0e6ff73c9e05bb44aa2aa76c605021dd2ca6bbd44f8eeb8899c16271567a1d6cc1f083e7c6b86d8896f39bef03ab3ea557e8f3575c7b073263da3374a1d

Download Submit
memory/224-152-0x0000000000000000-mapping.dmp

Download
memory/224-222-0x0000000000000000-mapping.dmp

Download
memory/672-198-0x0000000000000000-mapping.dmp

Download
memory/692-164-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/692-148-0x0000000000000000-mapping.dmp

Download
memory/924-197-0x0000000000000000-mapping.dmp

Download
memory/968-195-0x0000000000000000-mapping.dmp

Download
memory/968-207-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1072-155-0x0000000000000000-mapping.dmp

Download
memory/1288-153-0x0000000000000000-mapping.dmp

Download
memory/1300-298-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1340-304-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1340-303-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1352-241-0x0000000000000000-mapping.dmp

Download
memory/1384-288-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1388-258-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1424-297-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1456-202-0x0000000000000000-mapping.dmp

Download
memory/1504-220-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1504-208-0x0000000000000000-mapping.dmp

Download
memory/1504-225-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1504-209-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1592-234-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1592-226-0x0000000000000000-mapping.dmp

Download
memory/1592-239-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1660-254-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1772-199-0x0000000000000000-mapping.dmp

Download
memory/1824-200-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1824-191-0x0000000000000000-mapping.dmp

Download
memory/1936-175-0x0000000000000000-mapping.dmp

Download
memory/2028-146-0x0000000000000000-mapping.dmp

Download
memory/2120-314-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2120-315-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2172-224-0x0000000000000000-mapping.dmp

Download
memory/2188-305-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2228-218-0x0000000000000000-mapping.dmp

Download
memory/2300-186-0x0000000000000000-mapping.dmp

Download
memory/2400-317-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2416-320-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2416-321-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2468-250-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2468-245-0x0000000000000000-mapping.dmp

Download
memory/2520-203-0x0000000000000000-mapping.dmp

Download
memory/2596-147-0x0000000000000000-mapping.dmp

Download
memory/2640-306-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2680-316-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2692-235-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2692-246-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2692-232-0x0000000000000000-mapping.dmp

Download
memory/2760-173-0x0000000000000000-mapping.dmp

Download
memory/2792-309-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2900-181-0x0000000000000000-mapping.dmp

Download
memory/2924-268-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2924-271-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3012-188-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3012-178-0x0000000000000000-mapping.dmp

Download
memory/3056-206-0x0000000000000000-mapping.dmp

Download
memory/3064-221-0x0000000000000000-mapping.dmp

Download
memory/3076-165-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3076-151-0x0000000000000000-mapping.dmp

Download
memory/3080-261-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3080-263-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3296-244-0x0000000000000000-mapping.dmp

Download
memory/3364-231-0x0000000000000000-mapping.dmp

Download
memory/3392-183-0x0000000000000000-mapping.dmp

Download
memory/3416-293-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3416-289-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3424-275-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3476-236-0x0000000000000000-mapping.dmp

Download
memory/3476-158-0x0000000000000000-mapping.dmp

Download
memory/3476-166-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3476-177-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3496-176-0x0000000000000000-mapping.dmp

Download
memory/3500-302-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3528-319-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3564-160-0x0000000000000000-mapping.dmp

Download
memory/3572-322-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3632-312-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3632-311-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3656-233-0x0000000000000000-mapping.dmp

Download
memory/3700-150-0x0000000000000000-mapping.dmp

Download
memory/3708-168-0x0000000000000000-mapping.dmp

Download
memory/3716-310-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3716-223-0x0000000000000000-mapping.dmp

Download
memory/3748-162-0x0000000000000000-mapping.dmp

Download
memory/3832-219-0x0000000000000000-mapping.dmp

Download
memory/3844-267-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3856-210-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3856-135-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3896-154-0x0000000000000000-mapping.dmp

Download
memory/3964-313-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3968-301-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3976-204-0x0000000000000000-mapping.dmp

Download
memory/3996-229-0x0000000000000000-mapping.dmp

Download
memory/3996-161-0x0000000000000000-mapping.dmp

Download
memory/4024-159-0x0000000000000000-mapping.dmp

Download
memory/4068-205-0x0000000000000000-mapping.dmp

Download
memory/4084-184-0x0000000000000000-mapping.dmp

Download
memory/4120-323-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4192-192-0x0000000000000000-mapping.dmp

Download
memory/4420-172-0x0000000000000000-mapping.dmp

Download
memory/4424-132-0x0000000000000000-mapping.dmp

Download
memory/4424-136-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4424-211-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4460-185-0x0000000000000000-mapping.dmp

Download
memory/4500-145-0x0000000000000000-mapping.dmp

Download
memory/4524-238-0x0000000000000000-mapping.dmp

Download
memory/4560-307-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4560-308-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4576-280-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4576-276-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4704-157-0x0000000000000000-mapping.dmp

Download
memory/4744-174-0x0000000000000000-mapping.dmp

Download
memory/4792-213-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4792-143-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4808-212-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4808-142-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4808-137-0x0000000000000000-mapping.dmp

Download
memory/4820-300-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4820-299-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4840-237-0x0000000000000000-mapping.dmp

Download
memory/4940-284-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4948-187-0x0000000000000000-mapping.dmp

Download
memory/4968-194-0x0000000000000000-mapping.dmp

Download
memory/4972-196-0x0000000000000000-mapping.dmp

Download
memory/5044-144-0x0000000000000000-mapping.dmp

Download
memory/5068-171-0x0000000000000000-mapping.dmp

Download
memory/5112-318-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download