aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199

Analysis

max time kernel
149s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 18:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
Size

444KB
MD5

69be442bc04cf47b994946b206ef3fc0
SHA1

04c115e907cf1643e554ebac9108b28fa6948585
SHA256

aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
SHA512

24cd6659ae5c5311bc30d199ba3c566db8d31daf01556fd30ffd0bf8faad8d7d653148ebc8fedc321efbf06fbf1d19f35c938a0ed8f7dc13d46650aee476f711
SSDEEP

6144:Ry3v47D28WZgwqii3V2SbS7DmGvFhb9cwdudaBL34fE6fHBZa9hiXkTLeZ:Ry3aD28yDqii3PGmGvrbAdaBLcZUHX+

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TrustedInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2460	xOQsoUIE.exe
5068	TEUEkUIs.exe
3748	QgYQQYok.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	xOQsoUIE.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TEUEkUIs.exe = "C:\\ProgramData\\YmcIkYcI\\TEUEkUIs.exe"	QgYQQYok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xOQsoUIE.exe = "C:\\Users\\Admin\\QkswUAwA\\xOQsoUIE.exe"	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xOQsoUIE.exe = "C:\\Users\\Admin\\QkswUAwA\\xOQsoUIE.exe"	xOQsoUIE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TEUEkUIs.exe = "C:\\ProgramData\\YmcIkYcI\\TEUEkUIs.exe"	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TEUEkUIs.exe = "C:\\ProgramData\\YmcIkYcI\\TEUEkUIs.exe"	TEUEkUIs.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sheUnpublishUnprotect.docx	xOQsoUIE.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\QkswUAwA	QgYQQYok.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\QkswUAwA\xOQsoUIE	QgYQQYok.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	xOQsoUIE.exe
File opened for modification	C:\Windows\SysWOW64\sheJoinPublish.bmp	xOQsoUIE.exe
File opened for modification	C:\Windows\SysWOW64\sheResolveExit.rar	xOQsoUIE.exe
File opened for modification	C:\Windows\SysWOW64\sheSearchExpand.doc	xOQsoUIE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3652	reg.exe
4556	reg.exe
4800	reg.exe
3132	reg.exe
1716	reg.exe
4212	reg.exe
1788	reg.exe
5056	Process not Found
2888	reg.exe
4824	reg.exe
2012	reg.exe
2500	reg.exe
2520	reg.exe
4516	reg.exe
3472	reg.exe
2888	reg.exe
1324	reg.exe
2332	reg.exe
3408	reg.exe
3132	reg.exe
1904	reg.exe
2520	reg.exe
2120	reg.exe
2536	reg.exe
4264	reg.exe
2888	reg.exe
2024	reg.exe
1916	reg.exe
5016	reg.exe
3640	reg.exe
2268	reg.exe
1756	reg.exe
3684	reg.exe
4368	reg.exe
1904	reg.exe
4768	reg.exe
4980	reg.exe
2464	reg.exe
4352	reg.exe
1400	reg.exe
3828	reg.exe
4280	reg.exe
4092	reg.exe
3228	reg.exe
320	reg.exe
3856	reg.exe
1904	reg.exe
3292	reg.exe
4524	reg.exe
3780	reg.exe
2148	reg.exe
3012	reg.exe
3632	reg.exe
1156	reg.exe
2648	reg.exe
4072	reg.exe
3636	reg.exe
228	reg.exe
3324	reg.exe
3932	reg.exe
4232	reg.exe
2256	reg.exe
932	reg.exe
2896	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2056	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
2056	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
2056	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
2056	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
4968	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
4968	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
4968	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
4968	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
4312	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
4312	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
4312	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
4312	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
4400	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
4400	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
4400	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
4400	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
1280	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
1280	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
1280	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
1280	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
3108	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
3108	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
3108	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
3108	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
3012	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
3012	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
3012	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
3012	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
3548	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
3548	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
3548	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
3548	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
4536	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
4536	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
4536	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
4536	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
520	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
520	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
520	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
520	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
3372	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
3372	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
3372	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
3372	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
4084	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
4084	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
4084	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
4084	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
1712	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
1712	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
1712	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
1712	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
2676	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
2676	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
2676	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
2676	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
3032	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
3032	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
3032	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
3032	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
1688	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
1688	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
1688	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
1688	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2460	xOQsoUIE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2460	2056	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	81
PID 2056 wrote to memory of 2460	2056	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	81
PID 2056 wrote to memory of 2460	2056	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	81
PID 2056 wrote to memory of 5068	2056	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	82
PID 2056 wrote to memory of 5068	2056	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	82
PID 2056 wrote to memory of 5068	2056	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	82
PID 2056 wrote to memory of 4932	2056	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	83
PID 2056 wrote to memory of 4932	2056	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	83
PID 2056 wrote to memory of 4932	2056	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	83
PID 2056 wrote to memory of 1312	2056	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	91
PID 2056 wrote to memory of 1312	2056	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	91
PID 2056 wrote to memory of 1312	2056	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	91
PID 4932 wrote to memory of 4968	4932	cmd.exe	90
PID 4932 wrote to memory of 4968	4932	cmd.exe	90
PID 4932 wrote to memory of 4968	4932	cmd.exe	90
PID 2056 wrote to memory of 4188	2056	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	89
PID 2056 wrote to memory of 4188	2056	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	89
PID 2056 wrote to memory of 4188	2056	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	89
PID 2056 wrote to memory of 4944	2056	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	88
PID 2056 wrote to memory of 4944	2056	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	88
PID 2056 wrote to memory of 4944	2056	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	88
PID 4968 wrote to memory of 2748	4968	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	92
PID 4968 wrote to memory of 2748	4968	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	92
PID 4968 wrote to memory of 2748	4968	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	92
PID 4968 wrote to memory of 1304	4968	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	94
PID 4968 wrote to memory of 1304	4968	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	94
PID 4968 wrote to memory of 1304	4968	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	94
PID 4968 wrote to memory of 1424	4968	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	95
PID 4968 wrote to memory of 1424	4968	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	95
PID 4968 wrote to memory of 1424	4968	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	95
PID 4968 wrote to memory of 4432	4968	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	96
PID 4968 wrote to memory of 4432	4968	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	96
PID 4968 wrote to memory of 4432	4968	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	96
PID 4968 wrote to memory of 652	4968	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	97
PID 4968 wrote to memory of 652	4968	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	97
PID 4968 wrote to memory of 652	4968	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	97
PID 2748 wrote to memory of 4312	2748	cmd.exe	98
PID 2748 wrote to memory of 4312	2748	cmd.exe	98
PID 2748 wrote to memory of 4312	2748	cmd.exe	98
PID 4312 wrote to memory of 4992	4312	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	105
PID 4312 wrote to memory of 4992	4312	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	105
PID 4312 wrote to memory of 4992	4312	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	105
PID 4312 wrote to memory of 2148	4312	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	106
PID 4312 wrote to memory of 2148	4312	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	106
PID 4312 wrote to memory of 2148	4312	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	106
PID 4312 wrote to memory of 3636	4312	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	107
PID 4312 wrote to memory of 3636	4312	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	107
PID 4312 wrote to memory of 3636	4312	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	107
PID 4312 wrote to memory of 448	4312	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	108
PID 4312 wrote to memory of 448	4312	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	108
PID 4312 wrote to memory of 448	4312	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	108
PID 4312 wrote to memory of 2096	4312	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	109
PID 4312 wrote to memory of 2096	4312	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	109
PID 4312 wrote to memory of 2096	4312	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	109
PID 4992 wrote to memory of 4400	4992	cmd.exe	115
PID 4992 wrote to memory of 4400	4992	cmd.exe	115
PID 4992 wrote to memory of 4400	4992	cmd.exe	115
PID 4400 wrote to memory of 1328	4400	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	117
PID 4400 wrote to memory of 1328	4400	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	117
PID 4400 wrote to memory of 1328	4400	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	117
PID 4400 wrote to memory of 4008	4400	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	119
PID 4400 wrote to memory of 4008	4400	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	119
PID 4400 wrote to memory of 4008	4400	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	119
PID 4400 wrote to memory of 4348	4400	aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe	127

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
"C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\QkswUAwA\xOQsoUIE.exe
  "C:\Users\Admin\QkswUAwA\xOQsoUIE.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of FindShellTrayWindow
  PID:2460
- C:\ProgramData\YmcIkYcI\TEUEkUIs.exe
  "C:\ProgramData\YmcIkYcI\TEUEkUIs.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
    C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4312
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        8⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        10⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        12⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        14⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        16⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        18⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        20⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        22⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        24⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        26⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        28⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        30⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        32⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        33⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        34⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        35⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        36⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        37⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        38⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        39⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        40⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        41⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        42⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        43⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        44⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        45⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        46⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        47⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        48⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        49⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        50⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        51⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        52⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        53⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        54⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        55⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        56⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        57⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        58⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        59⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        60⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        61⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        62⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        63⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        64⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        65⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        66⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        67⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        68⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        69⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        70⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        71⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        72⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        73⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        74⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        75⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        76⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        77⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        78⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        79⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        80⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        81⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        82⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        83⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        84⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        85⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        86⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        87⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        88⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        89⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        90⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        91⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        92⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        93⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        94⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        95⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        96⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        97⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        98⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        99⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        100⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        101⤵
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        102⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        103⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        104⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        105⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        106⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        107⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        108⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        109⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        110⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        111⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        112⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        113⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        114⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        115⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        116⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        117⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        118⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        119⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        120⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        121⤵
        
        PID:480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        122⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        123⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        124⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        125⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        126⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        127⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        128⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        129⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        130⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        131⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        132⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        133⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        134⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        135⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        136⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        137⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        138⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        139⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        140⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        141⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        142⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        143⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        144⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        145⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        146⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        147⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        148⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        149⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        150⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        151⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        152⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        153⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        154⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        155⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        156⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        157⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        158⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        159⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        160⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        161⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        162⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        163⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        164⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        165⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        166⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        167⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        168⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        169⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        170⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        171⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        172⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        173⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        174⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        175⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        176⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        177⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        178⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        179⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        180⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        181⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        182⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        183⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        184⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        185⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        186⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        187⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        188⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        189⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        190⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        191⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        192⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        193⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        194⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        195⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        196⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        197⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        198⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        199⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        200⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        201⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        202⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        203⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        204⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        205⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        206⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        207⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        208⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        209⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        210⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        211⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        212⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKMskoEQ.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        212⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        Modifies registry key
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAIAsUwY.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        210⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqgMsIcY.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        208⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ososgYcw.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        206⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        Modifies registry key
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkgIcwII.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        204⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiYksooU.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        202⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOAYswgs.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        200⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iiEgIgso.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        198⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        199⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        200⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        201⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        202⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        203⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        204⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        205⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        206⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        207⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        208⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        209⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        210⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        211⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        212⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        213⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        214⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        215⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        216⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        217⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        218⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        219⤵
        Modifies visibility of file extensions in Explorer
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        220⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        221⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        222⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        223⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        224⤵
        
        PID:3356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        225⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        226⤵
        
        PID:5052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        227⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        228⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        229⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        230⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        231⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        232⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        233⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        234⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        235⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        236⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        237⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        238⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        239⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        240⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        241⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        242⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        243⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        244⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        245⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        246⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        247⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        248⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        249⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        250⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        251⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        252⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        253⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        254⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        255⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        256⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        257⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        258⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        259⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        260⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        261⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        262⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        263⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        264⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        265⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        266⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        267⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        268⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        269⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        270⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        271⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        272⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        273⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199"
        274⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe
        
        C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199
        275⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQswIwwg.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        274⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        272⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        272⤵
        Modifies registry key
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        272⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOoowAwI.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        272⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        273⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feMQgQck.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        270⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        271⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        270⤵
        Modifies registry key
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        270⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmQcwQAU.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        268⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        269⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        UAC bypass
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\esYQkwwA.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        266⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        267⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LsYcYUAQ.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        264⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        UAC bypass
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REkoIcEs.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        262⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAgwAUQw.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        260⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        Modifies registry key
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCQQkQkM.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        258⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmAYkIYg.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        256⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        Modifies registry key
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        Modifies registry key
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaIIsUwk.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        254⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DOkokgMo.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        252⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        UAC bypass
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCEIkMsM.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        250⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        UAC bypass
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        Modifies registry key
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qcgQUEIQ.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        248⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        UAC bypass
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies registry key
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HIkckwYk.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        246⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        Modifies registry key
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        Modifies registry key
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiQMocso.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        244⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqQMQgcY.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        242⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIsUkkAk.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        240⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCgQcoco.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        238⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        Modifies registry key
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQwkkkAs.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        236⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwUIgIQg.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        234⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iyUsQEcc.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        232⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sKgEEQsw.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        230⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWIAUYsE.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        228⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEgYYIkE.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        226⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:2232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGoQAggs.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        224⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        Modifies registry key
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWsIYQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        222⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOsQAAQc.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        220⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niEMIYgs.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        218⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:3268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zUIIsUkw.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        216⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyMEAkoY.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        214⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LKwkkEIk.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        212⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        Modifies registry key
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIEYUIAM.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        210⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:4852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmwgcEcw.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        208⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        UAC bypass
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:3780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAkkAsYc.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        206⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWIcIIAo.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        204⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        Modifies registry key
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOIEYgso.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        202⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PoQcgcAI.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        200⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        Modifies registry key
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsYEEEwA.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        196⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:4560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywsIUAwU.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        194⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCwMggIY.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        192⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AYYAkMAs.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        190⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ReUEEswA.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        188⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCYcUUAQ.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        186⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:4280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqIsQYos.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        184⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuogkkIo.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        182⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGIsAcQA.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        180⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        Modifies registry key
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RskwsoAA.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        178⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syEwssok.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        176⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies registry key
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWoocsEc.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        174⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEYocQUk.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        172⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGoIAgcg.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        170⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWoQooEc.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        168⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies registry key
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKwAsIQY.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        166⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        Modifies registry key
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YcUYkkAA.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        164⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        Modifies registry key
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWosgEIY.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        162⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOMcIgso.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        160⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saQcogQs.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        158⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nSgoAMYE.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        156⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYgUsAYU.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        154⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYkMIggg.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        152⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QiEIoMcI.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        150⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GygIowIc.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        148⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCUQgowE.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        146⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        Modifies registry key
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGEcEYQQ.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        144⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iaYcckgw.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        142⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CoAkMsAc.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        140⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        Modifies registry key
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jyYEwQoA.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        138⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        140⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tEQMAUss.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        136⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEEMQkUc.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        134⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAgcMsMQ.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        132⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKogwMEw.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        130⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:3032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        132⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        Modifies registry key
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEwUsMYY.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        128⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOYoEwUg.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        126⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSQQoMoQ.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        124⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies registry key
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smsQcQcM.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        122⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGocoogA.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        120⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        Modifies registry key
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKEcscAI.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        118⤵
        
        PID:520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies registry key
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkcIQwcY.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        116⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyEwcgMw.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        114⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        Modifies registry key
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUcUwkMk.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        112⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwgcAsco.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        110⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faEwMAgo.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        108⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        Modifies registry key
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xsgcwUEg.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        106⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies registry key
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgggUokY.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        104⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUUIUUgM.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        102⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PSIMMUIc.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        100⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        Modifies registry key
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PooUIUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        98⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEYYEAYM.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        96⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgscUssU.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        94⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MsIUIskw.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        92⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VKUMwcAo.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        90⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScsMMUAc.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        88⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkMMkMAg.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        86⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEoQscwY.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        84⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IogUsAMU.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        82⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies registry key
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DycsMEUQ.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        80⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOccAYMA.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        78⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EksosIgg.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        76⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sysoIgss.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        74⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMcYwUkc.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        72⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYYYcAMI.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        70⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OgQogQoo.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        68⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWUAMYQs.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        66⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewMEowwE.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        64⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmwUkoYo.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        62⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEQgEcEo.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        60⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqIgkIkM.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        58⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        Modifies registry key
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OSYwEMco.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        56⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGkMYsck.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        54⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAYgYEEU.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        52⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USYMQQMc.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        50⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        Modifies registry key
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies registry key
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESYMUkko.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        48⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CiIswsEU.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        46⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bacMsMUw.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        44⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUkYsIYU.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        42⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOAEAgcQ.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        40⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYkcQEwE.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        38⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rogMcMME.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        36⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        Modifies registry key
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYAQYYoc.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        34⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKQEUIcI.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        32⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAYYkEYI.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        30⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies registry key
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oMMEQUIc.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        28⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HaQEYEoo.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        26⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYUQUcoI.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        24⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xuUEcQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        22⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgssookU.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        20⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSUoMEEw.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        18⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CScAMEMY.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        16⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymwYkQwM.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        14⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycccgwoM.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        12⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        Modifies registry key
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PckogMMw.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        10⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsgcoYww.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        8⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4348
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2148
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:3636
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:448
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CiYIIwEg.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
        6⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:216
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1304
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1424
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4432
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SSYsEEAw.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
      4⤵
      PID:652
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3788
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4944
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4188
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emgksAEs.bat" "C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199.exe""
  2⤵
  PID:4196
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4244

C:\ProgramData\OoEAMgQM\QgYQQYok.exe
C:\ProgramData\OoEAMgQM\QgYQQYok.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3652

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- UAC bypass
PID:3368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OoEAMgQM\QgYQQYok.exe

Filesize
434KB

MD5
b3c6a38b039b4cffd6d1e6bd1eba8fa6

SHA1
b508ae7a248e783a36a887577d6ab83167736c35

SHA256
a27c5b3df46ef5553054763e992ff2863e2489860109bf853c919d85025e7643

SHA512
e714f246a5b7a06445f5d4694ba0efc3f97f47c0fea7f639eaade4da84bead88bbce9be21feef6c437a4fe8a212c950a0a2b12363dbbb0bebf0ccf6b677e4639

Download Submit
C:\ProgramData\OoEAMgQM\QgYQQYok.exe

Filesize
434KB

MD5
b3c6a38b039b4cffd6d1e6bd1eba8fa6

SHA1
b508ae7a248e783a36a887577d6ab83167736c35

SHA256
a27c5b3df46ef5553054763e992ff2863e2489860109bf853c919d85025e7643

SHA512
e714f246a5b7a06445f5d4694ba0efc3f97f47c0fea7f639eaade4da84bead88bbce9be21feef6c437a4fe8a212c950a0a2b12363dbbb0bebf0ccf6b677e4639

Download Submit
C:\ProgramData\YmcIkYcI\TEUEkUIs.exe

Filesize
430KB

MD5
0f076504cda21c5052bf602e7a698069

SHA1
9d0f5478a97b7d26a3c032bc0f3ec7511f915a5f

SHA256
b567e112b9848c1fdde44e3f5ab6bb85899291039a52e084d106e4e4b934bcab

SHA512
d43bbc3a6eccd6b3e63ed1c46960fdf16a9596e35c45244a02fd3edd333a2625b859903d36506daf050431983aaa41f960d35c9118c21ff6aa6bd4c01438a412

Download Submit
C:\ProgramData\YmcIkYcI\TEUEkUIs.exe

Filesize
430KB

MD5
0f076504cda21c5052bf602e7a698069

SHA1
9d0f5478a97b7d26a3c032bc0f3ec7511f915a5f

SHA256
b567e112b9848c1fdde44e3f5ab6bb85899291039a52e084d106e4e4b934bcab

SHA512
d43bbc3a6eccd6b3e63ed1c46960fdf16a9596e35c45244a02fd3edd333a2625b859903d36506daf050431983aaa41f960d35c9118c21ff6aa6bd4c01438a412

Download Submit
C:\Users\Admin\AppData\Local\Temp\AOAEAgcQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAYYkEYI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\CScAMEMY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\CiYIIwEg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\DsgcoYww.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HaQEYEoo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LYUQUcoI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NYAQYYoc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PckogMMw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PgssookU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QKQEUIcI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SSYsEEAw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYkcQEwE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199

Filesize
6KB

MD5
1c17c162defdab9d945161e028a65b7b

SHA1
57b06993552a571eaacddb9836b72525120b04db

SHA256
ac791b7dd63587134076d1b62f91de3710266be921b04f89c0ac4840d6531ef4

SHA512
e1ac6cd5fc6970da778931f41aad2c980829a97af12eac6c1792539bc65146f680b17ec21bbec2a4ba34e8770d563e3467ac787dbb5a81dd9dc04b7bde9b7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199

Filesize
6KB

MD5
1c17c162defdab9d945161e028a65b7b

SHA1
57b06993552a571eaacddb9836b72525120b04db

SHA256
ac791b7dd63587134076d1b62f91de3710266be921b04f89c0ac4840d6531ef4

SHA512
e1ac6cd5fc6970da778931f41aad2c980829a97af12eac6c1792539bc65146f680b17ec21bbec2a4ba34e8770d563e3467ac787dbb5a81dd9dc04b7bde9b7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199

Filesize
6KB

MD5
1c17c162defdab9d945161e028a65b7b

SHA1
57b06993552a571eaacddb9836b72525120b04db

SHA256
ac791b7dd63587134076d1b62f91de3710266be921b04f89c0ac4840d6531ef4

SHA512
e1ac6cd5fc6970da778931f41aad2c980829a97af12eac6c1792539bc65146f680b17ec21bbec2a4ba34e8770d563e3467ac787dbb5a81dd9dc04b7bde9b7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199

Filesize
6KB

MD5
1c17c162defdab9d945161e028a65b7b

SHA1
57b06993552a571eaacddb9836b72525120b04db

SHA256
ac791b7dd63587134076d1b62f91de3710266be921b04f89c0ac4840d6531ef4

SHA512
e1ac6cd5fc6970da778931f41aad2c980829a97af12eac6c1792539bc65146f680b17ec21bbec2a4ba34e8770d563e3467ac787dbb5a81dd9dc04b7bde9b7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199

Filesize
6KB

MD5
1c17c162defdab9d945161e028a65b7b

SHA1
57b06993552a571eaacddb9836b72525120b04db

SHA256
ac791b7dd63587134076d1b62f91de3710266be921b04f89c0ac4840d6531ef4

SHA512
e1ac6cd5fc6970da778931f41aad2c980829a97af12eac6c1792539bc65146f680b17ec21bbec2a4ba34e8770d563e3467ac787dbb5a81dd9dc04b7bde9b7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199

Filesize
6KB

MD5
1c17c162defdab9d945161e028a65b7b

SHA1
57b06993552a571eaacddb9836b72525120b04db

SHA256
ac791b7dd63587134076d1b62f91de3710266be921b04f89c0ac4840d6531ef4

SHA512
e1ac6cd5fc6970da778931f41aad2c980829a97af12eac6c1792539bc65146f680b17ec21bbec2a4ba34e8770d563e3467ac787dbb5a81dd9dc04b7bde9b7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199

Filesize
6KB

MD5
1c17c162defdab9d945161e028a65b7b

SHA1
57b06993552a571eaacddb9836b72525120b04db

SHA256
ac791b7dd63587134076d1b62f91de3710266be921b04f89c0ac4840d6531ef4

SHA512
e1ac6cd5fc6970da778931f41aad2c980829a97af12eac6c1792539bc65146f680b17ec21bbec2a4ba34e8770d563e3467ac787dbb5a81dd9dc04b7bde9b7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199

Filesize
6KB

MD5
1c17c162defdab9d945161e028a65b7b

SHA1
57b06993552a571eaacddb9836b72525120b04db

SHA256
ac791b7dd63587134076d1b62f91de3710266be921b04f89c0ac4840d6531ef4

SHA512
e1ac6cd5fc6970da778931f41aad2c980829a97af12eac6c1792539bc65146f680b17ec21bbec2a4ba34e8770d563e3467ac787dbb5a81dd9dc04b7bde9b7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199

Filesize
6KB

MD5
1c17c162defdab9d945161e028a65b7b

SHA1
57b06993552a571eaacddb9836b72525120b04db

SHA256
ac791b7dd63587134076d1b62f91de3710266be921b04f89c0ac4840d6531ef4

SHA512
e1ac6cd5fc6970da778931f41aad2c980829a97af12eac6c1792539bc65146f680b17ec21bbec2a4ba34e8770d563e3467ac787dbb5a81dd9dc04b7bde9b7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199

Filesize
6KB

MD5
1c17c162defdab9d945161e028a65b7b

SHA1
57b06993552a571eaacddb9836b72525120b04db

SHA256
ac791b7dd63587134076d1b62f91de3710266be921b04f89c0ac4840d6531ef4

SHA512
e1ac6cd5fc6970da778931f41aad2c980829a97af12eac6c1792539bc65146f680b17ec21bbec2a4ba34e8770d563e3467ac787dbb5a81dd9dc04b7bde9b7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199

Filesize
6KB

MD5
1c17c162defdab9d945161e028a65b7b

SHA1
57b06993552a571eaacddb9836b72525120b04db

SHA256
ac791b7dd63587134076d1b62f91de3710266be921b04f89c0ac4840d6531ef4

SHA512
e1ac6cd5fc6970da778931f41aad2c980829a97af12eac6c1792539bc65146f680b17ec21bbec2a4ba34e8770d563e3467ac787dbb5a81dd9dc04b7bde9b7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199

Filesize
6KB

MD5
1c17c162defdab9d945161e028a65b7b

SHA1
57b06993552a571eaacddb9836b72525120b04db

SHA256
ac791b7dd63587134076d1b62f91de3710266be921b04f89c0ac4840d6531ef4

SHA512
e1ac6cd5fc6970da778931f41aad2c980829a97af12eac6c1792539bc65146f680b17ec21bbec2a4ba34e8770d563e3467ac787dbb5a81dd9dc04b7bde9b7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199

Filesize
6KB

MD5
1c17c162defdab9d945161e028a65b7b

SHA1
57b06993552a571eaacddb9836b72525120b04db

SHA256
ac791b7dd63587134076d1b62f91de3710266be921b04f89c0ac4840d6531ef4

SHA512
e1ac6cd5fc6970da778931f41aad2c980829a97af12eac6c1792539bc65146f680b17ec21bbec2a4ba34e8770d563e3467ac787dbb5a81dd9dc04b7bde9b7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199

Filesize
6KB

MD5
1c17c162defdab9d945161e028a65b7b

SHA1
57b06993552a571eaacddb9836b72525120b04db

SHA256
ac791b7dd63587134076d1b62f91de3710266be921b04f89c0ac4840d6531ef4

SHA512
e1ac6cd5fc6970da778931f41aad2c980829a97af12eac6c1792539bc65146f680b17ec21bbec2a4ba34e8770d563e3467ac787dbb5a81dd9dc04b7bde9b7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199

Filesize
6KB

MD5
1c17c162defdab9d945161e028a65b7b

SHA1
57b06993552a571eaacddb9836b72525120b04db

SHA256
ac791b7dd63587134076d1b62f91de3710266be921b04f89c0ac4840d6531ef4

SHA512
e1ac6cd5fc6970da778931f41aad2c980829a97af12eac6c1792539bc65146f680b17ec21bbec2a4ba34e8770d563e3467ac787dbb5a81dd9dc04b7bde9b7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199

Filesize
6KB

MD5
1c17c162defdab9d945161e028a65b7b

SHA1
57b06993552a571eaacddb9836b72525120b04db

SHA256
ac791b7dd63587134076d1b62f91de3710266be921b04f89c0ac4840d6531ef4

SHA512
e1ac6cd5fc6970da778931f41aad2c980829a97af12eac6c1792539bc65146f680b17ec21bbec2a4ba34e8770d563e3467ac787dbb5a81dd9dc04b7bde9b7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199

Filesize
6KB

MD5
1c17c162defdab9d945161e028a65b7b

SHA1
57b06993552a571eaacddb9836b72525120b04db

SHA256
ac791b7dd63587134076d1b62f91de3710266be921b04f89c0ac4840d6531ef4

SHA512
e1ac6cd5fc6970da778931f41aad2c980829a97af12eac6c1792539bc65146f680b17ec21bbec2a4ba34e8770d563e3467ac787dbb5a81dd9dc04b7bde9b7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199

Filesize
6KB

MD5
1c17c162defdab9d945161e028a65b7b

SHA1
57b06993552a571eaacddb9836b72525120b04db

SHA256
ac791b7dd63587134076d1b62f91de3710266be921b04f89c0ac4840d6531ef4

SHA512
e1ac6cd5fc6970da778931f41aad2c980829a97af12eac6c1792539bc65146f680b17ec21bbec2a4ba34e8770d563e3467ac787dbb5a81dd9dc04b7bde9b7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199

Filesize
6KB

MD5
1c17c162defdab9d945161e028a65b7b

SHA1
57b06993552a571eaacddb9836b72525120b04db

SHA256
ac791b7dd63587134076d1b62f91de3710266be921b04f89c0ac4840d6531ef4

SHA512
e1ac6cd5fc6970da778931f41aad2c980829a97af12eac6c1792539bc65146f680b17ec21bbec2a4ba34e8770d563e3467ac787dbb5a81dd9dc04b7bde9b7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaf8b6e1b16e202a3e6f41ab58b176974f2526412d0c1f6dd6fc34a7e0295199

Filesize
6KB

MD5
1c17c162defdab9d945161e028a65b7b

SHA1
57b06993552a571eaacddb9836b72525120b04db

SHA256
ac791b7dd63587134076d1b62f91de3710266be921b04f89c0ac4840d6531ef4

SHA512
e1ac6cd5fc6970da778931f41aad2c980829a97af12eac6c1792539bc65146f680b17ec21bbec2a4ba34e8770d563e3467ac787dbb5a81dd9dc04b7bde9b7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cSUoMEEw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMMEQUIc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rogMcMME.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuUEcQcQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycccgwoM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymwYkQwM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\QkswUAwA\xOQsoUIE.exe

Filesize
431KB

MD5
ac4b24f3e2b44471df7e80021cf8d99b

SHA1
7a5afbc19716133405c7df95e9ccf3a8019fcdb9

SHA256
c622c6e7b095d86469aa4b4927f794709a5e1da3189644dc46b767400d072b25

SHA512
eca863ae7fb9bea9105c36b127d1df7772a3c817f9ad683fb2fda19e02f5c6476f2998881f6136a2dad911b6668c7c5ea65b773f046a19d1703b45c616868423

Download Submit
C:\Users\Admin\QkswUAwA\xOQsoUIE.exe

Filesize
431KB

MD5
ac4b24f3e2b44471df7e80021cf8d99b

SHA1
7a5afbc19716133405c7df95e9ccf3a8019fcdb9

SHA256
c622c6e7b095d86469aa4b4927f794709a5e1da3189644dc46b767400d072b25

SHA512
eca863ae7fb9bea9105c36b127d1df7772a3c817f9ad683fb2fda19e02f5c6476f2998881f6136a2dad911b6668c7c5ea65b773f046a19d1703b45c616868423

Download Submit
memory/520-248-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/560-280-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/560-276-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1012-312-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1280-182-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1280-192-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1304-305-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1316-294-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1316-290-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1360-289-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1688-275-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1688-273-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1712-258-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1712-262-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1812-307-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2056-135-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2148-322-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2156-298-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2176-306-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2176-304-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2296-302-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2460-137-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2460-136-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2676-266-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2824-308-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2880-317-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2920-323-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3012-208-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3012-214-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3032-268-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3108-202-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3192-321-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3192-303-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3224-299-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3372-253-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3372-252-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3548-229-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3548-210-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3748-160-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3748-171-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3792-300-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3792-301-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3944-285-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4084-257-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4252-311-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4312-167-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4312-156-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4400-180-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4400-169-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4536-239-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4536-220-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4544-316-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4552-313-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4572-315-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4572-314-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4656-309-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4656-310-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4772-320-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4968-147-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4968-159-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5068-155-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5068-141-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5112-319-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5112-318-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download