a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab

Analysis

max time kernel
151s
max time network
129s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
Size

834KB
MD5

30f15a801dc2562f4ca607c06415e810
SHA1

bca52ea91eddcd0adc20d1126b900dd771fc3e67
SHA256

a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
SHA512

387f432da3ddd26a071b544df13213eefb003dffe371f9b9ba0bf9897bd8b412672e0f16ab1c018579c948516fb203ffae66d5aa182f16f751d4fef93f76abe9
SSDEEP

12288:B3Mh0YJwRrs6EqjhVpa6J7+Yae2oIqzxi9Nm1B3tPLZKQm/jv4i2O7jZb99ckQJA:Buh6JqmQYIuCwgj9rKw

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\fmQYcsQM\\QUYAswss.exe,"	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\ProgramData\\fmQYcsQM\\QUYAswss.exe,"	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\fmQYcsQM\\QUYAswss.exe,C:\\ProgramData\\aYwEEIoQ\\kCAgwwwA.exe,"	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\ProgramData\\fmQYcsQM\\QUYAswss.exe,C:\\ProgramData\\aYwEEIoQ\\kCAgwwwA.exe,"	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2044	paAIUkUY.exe
940	QUYAswss.exe
884	KyogUYAI.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\SelectRead.png.exe	QUYAswss.exe
File opened for modification	C:\Users\Admin\Pictures\SelectRead.png.exe	paAIUkUY.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	paAIUkUY.exe

Deletes itself 1 IoCs

pid	Process
928	cmd.exe

Loads dropped DLL 26 IoCs

pid	Process
1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
940	QUYAswss.exe
940	QUYAswss.exe
940	QUYAswss.exe
940	QUYAswss.exe
940	QUYAswss.exe
940	QUYAswss.exe
940	QUYAswss.exe
940	QUYAswss.exe
940	QUYAswss.exe
940	QUYAswss.exe
940	QUYAswss.exe
940	QUYAswss.exe
940	QUYAswss.exe
940	QUYAswss.exe
940	QUYAswss.exe
940	QUYAswss.exe
940	QUYAswss.exe
940	QUYAswss.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\paAIUkUY.exe = "C:\\Users\\Admin\\hcQEosgk\\paAIUkUY.exe"	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QUYAswss.exe = "C:\\ProgramData\\fmQYcsQM\\QUYAswss.exe"	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QUYAswss.exe = "C:\\ProgramData\\fmQYcsQM\\QUYAswss.exe"	QUYAswss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\paAIUkUY.exe = "C:\\Users\\Admin\\hcQEosgk\\paAIUkUY.exe"	paAIUkUY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QUYAswss.exe = "C:\\ProgramData\\fmQYcsQM\\QUYAswss.exe"	KyogUYAI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\BsQIAMkk.exe = "C:\\Users\\Admin\\NeUsoUYM\\BsQIAMkk.exe"	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kCAgwwwA.exe = "C:\\ProgramData\\aYwEEIoQ\\kCAgwwwA.exe"	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\hcQEosgk	KyogUYAI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\hcQEosgk\paAIUkUY	KyogUYAI.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	QUYAswss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1408	1756	WerFault.exe
1828	1540	WerFault.exe
1660	1356	WerFault.exe	142

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1616	reg.exe
1612	reg.exe
1804	reg.exe
1456	reg.exe
1384	reg.exe
456	reg.exe
1532	reg.exe
548	reg.exe
1972	reg.exe
316	reg.exe
616	reg.exe
1092	reg.exe
1092	reg.exe
1224	reg.exe
828	reg.exe
1508	reg.exe
1072	reg.exe
1160	reg.exe
1276	reg.exe
2008	reg.exe
456	reg.exe
1360	reg.exe
1276	reg.exe
1620	reg.exe
1592	reg.exe
684	reg.exe
1268	reg.exe
1572	reg.exe
1640	reg.exe
2028	reg.exe
828	reg.exe
1996	reg.exe
928	reg.exe
740	reg.exe
548	reg.exe
1624	reg.exe
1992	reg.exe
1660	reg.exe
1624	reg.exe
1676	reg.exe
1640	reg.exe
600	reg.exe
1160	reg.exe
1524	reg.exe
1328	reg.exe
1880	reg.exe
1000	reg.exe
740	reg.exe
740	reg.exe
1392	reg.exe
1072	reg.exe
2004	reg.exe
888	reg.exe
1824	reg.exe
1304	reg.exe
2028	reg.exe
1328	reg.exe
568	reg.exe
1880	reg.exe
820	reg.exe
2028	reg.exe
432	reg.exe
1640	reg.exe
1560	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
548	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
548	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1636	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1636	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1824	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1824	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1956	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1956	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1636	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1636	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1360	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1360	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1492	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1492	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1616	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1616	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1392	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1392	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
616	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
616	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1612	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1612	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1508	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1508	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
2032	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
2032	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1300	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1300	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1992	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1992	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
900	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
900	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1464	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1464	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1148	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1148	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1384	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1384	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
860	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
860	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1424	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1424	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
740	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
740	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1392	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1392	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1956	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1956	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1676	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1676	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1424	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1424	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1596	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1596	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
2032	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
2032	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1716	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1716	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
888	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
888	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1388	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
1388	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe
2044	paAIUkUY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2044	1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	27
PID 1304 wrote to memory of 2044	1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	27
PID 1304 wrote to memory of 2044	1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	27
PID 1304 wrote to memory of 2044	1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	27
PID 1304 wrote to memory of 940	1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	28
PID 1304 wrote to memory of 940	1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	28
PID 1304 wrote to memory of 940	1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	28
PID 1304 wrote to memory of 940	1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	28
PID 1304 wrote to memory of 1384	1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	30
PID 1304 wrote to memory of 1384	1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	30
PID 1304 wrote to memory of 1384	1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	30
PID 1304 wrote to memory of 1384	1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	30
PID 1384 wrote to memory of 548	1384	cmd.exe	32
PID 1384 wrote to memory of 548	1384	cmd.exe	32
PID 1384 wrote to memory of 548	1384	cmd.exe	32
PID 1384 wrote to memory of 548	1384	cmd.exe	32
PID 1304 wrote to memory of 1456	1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	33
PID 1304 wrote to memory of 1456	1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	33
PID 1304 wrote to memory of 1456	1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	33
PID 1304 wrote to memory of 1456	1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	33
PID 1304 wrote to memory of 888	1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	34
PID 1304 wrote to memory of 888	1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	34
PID 1304 wrote to memory of 888	1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	34
PID 1304 wrote to memory of 888	1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	34
PID 1304 wrote to memory of 1368	1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	36
PID 1304 wrote to memory of 1368	1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	36
PID 1304 wrote to memory of 1368	1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	36
PID 1304 wrote to memory of 1368	1304	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	36
PID 548 wrote to memory of 1492	548	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	39
PID 548 wrote to memory of 1492	548	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	39
PID 548 wrote to memory of 1492	548	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	39
PID 548 wrote to memory of 1492	548	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	39
PID 1492 wrote to memory of 1636	1492	cmd.exe	41
PID 1492 wrote to memory of 1636	1492	cmd.exe	41
PID 1492 wrote to memory of 1636	1492	cmd.exe	41
PID 1492 wrote to memory of 1636	1492	cmd.exe	41
PID 548 wrote to memory of 992	548	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	42
PID 548 wrote to memory of 992	548	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	42
PID 548 wrote to memory of 992	548	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	42
PID 548 wrote to memory of 992	548	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	42
PID 548 wrote to memory of 1832	548	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	43
PID 548 wrote to memory of 1832	548	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	43
PID 548 wrote to memory of 1832	548	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	43
PID 548 wrote to memory of 1832	548	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	43
PID 1636 wrote to memory of 1084	1636	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	44
PID 1636 wrote to memory of 1084	1636	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	44
PID 1636 wrote to memory of 1084	1636	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	44
PID 1636 wrote to memory of 1084	1636	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	44
PID 548 wrote to memory of 1092	548	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	46
PID 548 wrote to memory of 1092	548	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	46
PID 548 wrote to memory of 1092	548	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	46
PID 548 wrote to memory of 1092	548	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	46
PID 548 wrote to memory of 1804	548	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	49
PID 548 wrote to memory of 1804	548	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	49
PID 548 wrote to memory of 1804	548	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	49
PID 548 wrote to memory of 1804	548	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	49
PID 1084 wrote to memory of 1824	1084	cmd.exe	52
PID 1084 wrote to memory of 1824	1084	cmd.exe	52
PID 1084 wrote to memory of 1824	1084	cmd.exe	52
PID 1084 wrote to memory of 1824	1084	cmd.exe	52
PID 1636 wrote to memory of 1168	1636	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	53
PID 1636 wrote to memory of 1168	1636	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	53
PID 1636 wrote to memory of 1168	1636	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	53
PID 1636 wrote to memory of 1168	1636	a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe	53

C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
"C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\hcQEosgk\paAIUkUY.exe
  "C:\Users\Admin\hcQEosgk\paAIUkUY.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Checks computer location settings
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  PID:2044
- C:\ProgramData\fmQYcsQM\QUYAswss.exe
  "C:\ProgramData\fmQYcsQM\QUYAswss.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  PID:940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
    C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1492
    - - C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1636
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        8⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        10⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        12⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        14⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        16⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        18⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        19⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:1808
        
        C:\Users\Admin\NeUsoUYM\BsQIAMkk.exe
        
        "C:\Users\Admin\NeUsoUYM\BsQIAMkk.exe"
        20⤵
        
        PID:1756
        
        C:\ProgramData\aYwEEIoQ\kCAgwwwA.exe
        
        "C:\ProgramData\aYwEEIoQ\kCAgwwwA.exe"
        20⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        20⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        22⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        24⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        26⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        28⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        30⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        32⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        34⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        36⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        38⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        40⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        42⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        44⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        46⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        48⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        50⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        52⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        54⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        56⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        58⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        60⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        62⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        64⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        65⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        66⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        67⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        68⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        69⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        70⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        71⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        72⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        73⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        74⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        75⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        76⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        77⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        78⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        79⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        80⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        81⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        82⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        83⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        84⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        85⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        86⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        87⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        88⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        89⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        90⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        91⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        92⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        93⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        94⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        95⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        96⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        97⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        98⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        99⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        100⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        101⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        102⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        103⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        104⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        105⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        106⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        107⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        108⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        109⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        110⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        111⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        112⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        113⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        114⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        115⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        116⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        117⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        118⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        119⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        120⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        121⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        122⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        123⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        124⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        125⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        126⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        127⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        128⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        129⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        130⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        131⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        132⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        133⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        134⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        135⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        136⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        137⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        138⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        139⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        140⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        141⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        142⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        143⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        144⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        145⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        146⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        147⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        148⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        149⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        150⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        151⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        152⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        153⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        154⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        155⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        156⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        157⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        158⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        159⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        160⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        161⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        162⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        163⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        164⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        165⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        166⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        167⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        168⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        169⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        170⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        171⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        172⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        173⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        174⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        175⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        176⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        177⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        178⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        179⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        180⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        181⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        182⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        183⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        184⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        185⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        186⤵
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        187⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab"
        188⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe
        
        C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab
        189⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        Modifies registry key
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bowUQMQA.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        188⤵
        Deletes itself
        
        PID:928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LCEgMUss.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        186⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MiIcAYEw.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        184⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\quccscwk.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        182⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        Modifies registry key
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lEwMwwYM.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        180⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eYowgksU.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        178⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QUQEoQwE.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        176⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        Modifies registry key
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FusocIQw.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        174⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\woAgksEU.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        172⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        Modifies registry key
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        Modifies registry key
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gcowkcgA.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        170⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fYYUkcgI.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        168⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        Modifies registry key
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        Modifies registry key
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kewAkIkw.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        166⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oqQgYQwk.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        164⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DkQEIQgM.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        162⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vQoUcMwg.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        160⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        Modifies registry key
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YioEUEEY.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        158⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PQcQYgMc.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        156⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HCgUIIwc.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        154⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YWcsogYY.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        152⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        Modifies registry key
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WukUMksQ.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        150⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies registry key
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZkwUcoMg.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        148⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bOUgcIYY.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        146⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        Modifies registry key
        
        PID:316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cMYQQUEw.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        144⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QIscQoow.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        142⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fQsEkUAI.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        140⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jSskcMEM.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        138⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        Modifies registry key
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uSgAgEUI.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        136⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xoskQUoE.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        134⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        Modifies registry key
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        Modifies registry key
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        Modifies registry key
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DyUoQckQ.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        132⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aoIogkMo.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        130⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        Modifies registry key
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ygcEAgwM.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        128⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XQcUUAgo.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        126⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hmMwwkAs.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        124⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        Modifies registry key
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\waooIoQo.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        122⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        Modifies registry key
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mucsgUMg.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        120⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jaccUssU.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        118⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lYwsQcIQ.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        116⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yigwQUQs.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        114⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies registry key
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        Modifies registry key
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QEYUokIM.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        112⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        Modifies registry key
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DSgsYYYc.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        110⤵
        
        PID:472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\giwgkwck.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        108⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oeQkQgsI.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        106⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZWowQoMY.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        104⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DUAIkccY.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        102⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SKAsocoU.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        100⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WagsEokE.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        98⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BoEYUkEQ.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        96⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZCMQsgEA.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        94⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        Modifies registry key
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\seIocUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        92⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mcUUkcEs.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        90⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zOcYMQsE.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        88⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qKwUwUkk.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        86⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WOkIMMsE.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        84⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        Modifies registry key
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies registry key
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zSwcUgAY.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        82⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies registry key
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\heEYAkAI.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        80⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GiQYMgsE.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        78⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kOMccEcI.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        76⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vewwAscs.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        74⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies registry key
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LkkEkYUU.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        72⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        Modifies registry key
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iKAgEksA.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        70⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uMYwYUQM.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        68⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HqMQkAQg.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        66⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        Modifies registry key
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OQIwgccw.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        64⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SUgcgQwE.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        62⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PGsscUgU.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        60⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies registry key
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pwsAUAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        58⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KUgEMYYk.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        56⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\esMEYUYQ.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        54⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies registry key
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HCowUAwo.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        52⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DqscccsA.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        50⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        Modifies registry key
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EqoYscQA.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        48⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DgcoEQIE.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        46⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zSQkoIEo.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        44⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gYAEIsUg.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        42⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dcMwgsoc.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        40⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EewsQYMU.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        38⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iMUgAcIw.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        36⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JWwUgIkU.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        34⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\twswMQIA.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        32⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CyYUAYcI.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        30⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dGUswYkY.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        28⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jikQEwkI.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        26⤵
        
        PID:616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GeEogAEM.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        24⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xUocwAcI.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        22⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FykEYYUQ.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        20⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EekIMsgg.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        18⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hGUcMwYA.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        16⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yaMsYkQU.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        14⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oIogYUwk.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        12⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies registry key
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NQskkwAk.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        10⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zuYwUEIE.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        8⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1676
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1168
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1268
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1508
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TugUAgcg.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
        6⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1324
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:992
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1832
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1092
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\TocwcQII.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
      4⤵
      PID:1804
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1936
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1456
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:888
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\mMEIYoUU.bat" "C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab.exe""
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:836

C:\ProgramData\tgEMgUIY\KyogUYAI.exe
C:\ProgramData\tgEMgUIY\KyogUYAI.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 120
1⤵
- Program crash
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 120
1⤵
- Program crash
PID:1828

C:\ProgramData\BgEEIwoc\SGgcYcMg.exe
C:\ProgramData\BgEEIwoc\SGgcYcMg.exe
1⤵
PID:1356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 88
  2⤵
  - Program crash
  PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fmQYcsQM\QUYAswss.exe

Filesize
479KB

MD5
7f64f8cfbce2aae8940ab4b230a8684b

SHA1
c1737d24af7086231b230a0d00ae22beb020198d

SHA256
4913447fc7f69851cc4e656936d79ac9cc692997c58361113dc609682698b480

SHA512
d9fa5577975c014c9ae53fb3d8209ec586399286010de24d67b4dc80b02823b89032a70790841d2339f74eb8929d8d689b03da30af5bd91260871890c31cbe78

Download Submit
C:\ProgramData\tgEMgUIY\KyogUYAI.exe

Filesize
481KB

MD5
1957b91e354a32e47f142387d474dd5c

SHA1
2ea5db05f6f6439eb85840a14bd3e3b2b7a2d9c3

SHA256
069caf94c6f5d63d65e1999ca16525ee8adf128914605d7f47a95431772e3b01

SHA512
ef3424624cef21c0a75f1c13e50983c9cc13bb1b301a5e00ce2f17b755916b3a4a8b73201fdf03af95ade326c025f583b08885f5537d663eb7b41a372c788b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\EekIMsgg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GeEogAEM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQskkwAk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TocwcQII.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TugUAgcg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab

Filesize
352KB

MD5
5feab868caedbbd1b7a145ca8261e4aa

SHA1
f43f28cc5165608e6fb3794e9a3d083ca2c75f0e

SHA256
08bace187a0225e10677de9aa6738a7118be3e5cad6dc45fb8d3366a61bb343c

SHA512
91108ab6dd422c1d500fc0a65df6faffdb7000828a0f908b1c053129b4b8702fdb7309fa3f4f6054ad542dfe24fd4853e2fe32f7e45aa369e7a3cb6137bdaca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab

Filesize
352KB

MD5
5feab868caedbbd1b7a145ca8261e4aa

SHA1
f43f28cc5165608e6fb3794e9a3d083ca2c75f0e

SHA256
08bace187a0225e10677de9aa6738a7118be3e5cad6dc45fb8d3366a61bb343c

SHA512
91108ab6dd422c1d500fc0a65df6faffdb7000828a0f908b1c053129b4b8702fdb7309fa3f4f6054ad542dfe24fd4853e2fe32f7e45aa369e7a3cb6137bdaca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab

Filesize
352KB

MD5
5feab868caedbbd1b7a145ca8261e4aa

SHA1
f43f28cc5165608e6fb3794e9a3d083ca2c75f0e

SHA256
08bace187a0225e10677de9aa6738a7118be3e5cad6dc45fb8d3366a61bb343c

SHA512
91108ab6dd422c1d500fc0a65df6faffdb7000828a0f908b1c053129b4b8702fdb7309fa3f4f6054ad542dfe24fd4853e2fe32f7e45aa369e7a3cb6137bdaca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab

Filesize
352KB

MD5
5feab868caedbbd1b7a145ca8261e4aa

SHA1
f43f28cc5165608e6fb3794e9a3d083ca2c75f0e

SHA256
08bace187a0225e10677de9aa6738a7118be3e5cad6dc45fb8d3366a61bb343c

SHA512
91108ab6dd422c1d500fc0a65df6faffdb7000828a0f908b1c053129b4b8702fdb7309fa3f4f6054ad542dfe24fd4853e2fe32f7e45aa369e7a3cb6137bdaca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab

Filesize
352KB

MD5
5feab868caedbbd1b7a145ca8261e4aa

SHA1
f43f28cc5165608e6fb3794e9a3d083ca2c75f0e

SHA256
08bace187a0225e10677de9aa6738a7118be3e5cad6dc45fb8d3366a61bb343c

SHA512
91108ab6dd422c1d500fc0a65df6faffdb7000828a0f908b1c053129b4b8702fdb7309fa3f4f6054ad542dfe24fd4853e2fe32f7e45aa369e7a3cb6137bdaca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab

Filesize
352KB

MD5
5feab868caedbbd1b7a145ca8261e4aa

SHA1
f43f28cc5165608e6fb3794e9a3d083ca2c75f0e

SHA256
08bace187a0225e10677de9aa6738a7118be3e5cad6dc45fb8d3366a61bb343c

SHA512
91108ab6dd422c1d500fc0a65df6faffdb7000828a0f908b1c053129b4b8702fdb7309fa3f4f6054ad542dfe24fd4853e2fe32f7e45aa369e7a3cb6137bdaca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab

Filesize
352KB

MD5
5feab868caedbbd1b7a145ca8261e4aa

SHA1
f43f28cc5165608e6fb3794e9a3d083ca2c75f0e

SHA256
08bace187a0225e10677de9aa6738a7118be3e5cad6dc45fb8d3366a61bb343c

SHA512
91108ab6dd422c1d500fc0a65df6faffdb7000828a0f908b1c053129b4b8702fdb7309fa3f4f6054ad542dfe24fd4853e2fe32f7e45aa369e7a3cb6137bdaca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab

Filesize
352KB

MD5
5feab868caedbbd1b7a145ca8261e4aa

SHA1
f43f28cc5165608e6fb3794e9a3d083ca2c75f0e

SHA256
08bace187a0225e10677de9aa6738a7118be3e5cad6dc45fb8d3366a61bb343c

SHA512
91108ab6dd422c1d500fc0a65df6faffdb7000828a0f908b1c053129b4b8702fdb7309fa3f4f6054ad542dfe24fd4853e2fe32f7e45aa369e7a3cb6137bdaca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab

Filesize
352KB

MD5
5feab868caedbbd1b7a145ca8261e4aa

SHA1
f43f28cc5165608e6fb3794e9a3d083ca2c75f0e

SHA256
08bace187a0225e10677de9aa6738a7118be3e5cad6dc45fb8d3366a61bb343c

SHA512
91108ab6dd422c1d500fc0a65df6faffdb7000828a0f908b1c053129b4b8702fdb7309fa3f4f6054ad542dfe24fd4853e2fe32f7e45aa369e7a3cb6137bdaca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab

Filesize
352KB

MD5
5feab868caedbbd1b7a145ca8261e4aa

SHA1
f43f28cc5165608e6fb3794e9a3d083ca2c75f0e

SHA256
08bace187a0225e10677de9aa6738a7118be3e5cad6dc45fb8d3366a61bb343c

SHA512
91108ab6dd422c1d500fc0a65df6faffdb7000828a0f908b1c053129b4b8702fdb7309fa3f4f6054ad542dfe24fd4853e2fe32f7e45aa369e7a3cb6137bdaca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a742a9005b463c7fc81681e9a74391b74df4e20eb9aebe4702d3f692e55db8ab

Filesize
352KB

MD5
5feab868caedbbd1b7a145ca8261e4aa

SHA1
f43f28cc5165608e6fb3794e9a3d083ca2c75f0e

SHA256
08bace187a0225e10677de9aa6738a7118be3e5cad6dc45fb8d3366a61bb343c

SHA512
91108ab6dd422c1d500fc0a65df6faffdb7000828a0f908b1c053129b4b8702fdb7309fa3f4f6054ad542dfe24fd4853e2fe32f7e45aa369e7a3cb6137bdaca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGUcMwYA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\jikQEwkI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMEIYoUU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIogYUwk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xUocwAcI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\yaMsYkQU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuYwUEIE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\hcQEosgk\paAIUkUY.exe

Filesize
476KB

MD5
fc11c943d50c50beee2b3b476cdce8f3

SHA1
90dcf4fe31db6b1835792fc352c166feb88a6a28

SHA256
de07e1283a9dce9b3704ef0a8a06d0a1d6232aa56be7e19ee39fc7a026cd3ffb

SHA512
b31bcb23575bf644e727c2d1db4c297cb7c17ba0238e47f2f97cfdb0bd7e21b52f647ddb624a6bef0f8558fc8b48607a57afd61299fa91c22482f99f9c2a2d87

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
445KB

MD5
1191ba2a9908ee79c0220221233e850a

SHA1
f2acd26b864b38821ba3637f8f701b8ba19c434f

SHA256
4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d

SHA512
da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

Download Submit
\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
445KB

MD5
1191ba2a9908ee79c0220221233e850a

SHA1
f2acd26b864b38821ba3637f8f701b8ba19c434f

SHA256
4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d

SHA512
da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

Download Submit
\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
633KB

MD5
a9993e4a107abf84e456b796c65a9899

SHA1
5852b1acacd33118bce4c46348ee6c5aa7ad12eb

SHA256
dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc

SHA512
d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

Download Submit
\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
633KB

MD5
a9993e4a107abf84e456b796c65a9899

SHA1
5852b1acacd33118bce4c46348ee6c5aa7ad12eb

SHA256
dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc

SHA512
d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

Download Submit
\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
634KB

MD5
3cfb3ae4a227ece66ce051e42cc2df00

SHA1
0a2bb202c5ce2aa8f5cda30676aece9a489fd725

SHA256
54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf

SHA512
60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

Download Submit
\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
634KB

MD5
3cfb3ae4a227ece66ce051e42cc2df00

SHA1
0a2bb202c5ce2aa8f5cda30676aece9a489fd725

SHA256
54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf

SHA512
60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

Download Submit
\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
455KB

MD5
6503c081f51457300e9bdef49253b867

SHA1
9313190893fdb4b732a5890845bd2337ea05366e

SHA256
5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea

SHA512
4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

Download Submit
\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
455KB

MD5
6503c081f51457300e9bdef49253b867

SHA1
9313190893fdb4b732a5890845bd2337ea05366e

SHA256
5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea

SHA512
4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

Download Submit
\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
444KB

MD5
2b48f69517044d82e1ee675b1690c08b

SHA1
83ca22c8a8e9355d2b184c516e58b5400d8343e0

SHA256
507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

SHA512
97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

Download Submit
\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
444KB

MD5
2b48f69517044d82e1ee675b1690c08b

SHA1
83ca22c8a8e9355d2b184c516e58b5400d8343e0

SHA256
507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

SHA512
97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

Download Submit
\ProgramData\fmQYcsQM\QUYAswss.exe

Filesize
479KB

MD5
7f64f8cfbce2aae8940ab4b230a8684b

SHA1
c1737d24af7086231b230a0d00ae22beb020198d

SHA256
4913447fc7f69851cc4e656936d79ac9cc692997c58361113dc609682698b480

SHA512
d9fa5577975c014c9ae53fb3d8209ec586399286010de24d67b4dc80b02823b89032a70790841d2339f74eb8929d8d689b03da30af5bd91260871890c31cbe78

Download Submit
\ProgramData\fmQYcsQM\QUYAswss.exe

Filesize
479KB

MD5
7f64f8cfbce2aae8940ab4b230a8684b

SHA1
c1737d24af7086231b230a0d00ae22beb020198d

SHA256
4913447fc7f69851cc4e656936d79ac9cc692997c58361113dc609682698b480

SHA512
d9fa5577975c014c9ae53fb3d8209ec586399286010de24d67b4dc80b02823b89032a70790841d2339f74eb8929d8d689b03da30af5bd91260871890c31cbe78

Download Submit
\Users\Admin\hcQEosgk\paAIUkUY.exe

Filesize
476KB

MD5
fc11c943d50c50beee2b3b476cdce8f3

SHA1
90dcf4fe31db6b1835792fc352c166feb88a6a28

SHA256
de07e1283a9dce9b3704ef0a8a06d0a1d6232aa56be7e19ee39fc7a026cd3ffb

SHA512
b31bcb23575bf644e727c2d1db4c297cb7c17ba0238e47f2f97cfdb0bd7e21b52f647ddb624a6bef0f8558fc8b48607a57afd61299fa91c22482f99f9c2a2d87

Download Submit
\Users\Admin\hcQEosgk\paAIUkUY.exe

Filesize
476KB

MD5
fc11c943d50c50beee2b3b476cdce8f3

SHA1
90dcf4fe31db6b1835792fc352c166feb88a6a28

SHA256
de07e1283a9dce9b3704ef0a8a06d0a1d6232aa56be7e19ee39fc7a026cd3ffb

SHA512
b31bcb23575bf644e727c2d1db4c297cb7c17ba0238e47f2f97cfdb0bd7e21b52f647ddb624a6bef0f8558fc8b48607a57afd61299fa91c22482f99f9c2a2d87

Download Submit
memory/548-77-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/548-89-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/616-211-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/616-217-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/740-285-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/740-284-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/860-276-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/860-273-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/884-227-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/884-70-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/900-257-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/900-260-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/940-69-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/940-226-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1148-263-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1148-268-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1300-253-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1300-252-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1304-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1304-104-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1304-55-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1356-202-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1360-145-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1360-170-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1384-272-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1384-270-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1392-288-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1392-206-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1392-283-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1392-210-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1424-300-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1424-301-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1424-278-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1424-280-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1464-265-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1464-264-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1492-185-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1492-179-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1508-228-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1508-244-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1540-205-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1596-298-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1612-237-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1612-229-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1616-180-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1616-198-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1636-86-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1636-150-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1636-98-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1636-144-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1676-291-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1676-296-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1756-204-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1824-121-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1824-100-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1956-129-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1956-135-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1956-293-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1956-292-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1992-256-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1992-251-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2032-248-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2032-245-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2044-225-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2044-68-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download