9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6

Analysis

max time kernel
190s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
Size

445KB
MD5

7d29491defd63eb9a66673a4e8929610
SHA1

7c0b58795bc86dbfeb9c3763d33e1072ccd917b4
SHA256

9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
SHA512

fe0e531a38bad87452eb663289691239dbf3e44b6e5ea903cf383b19a664ad49520e8b6d5efe05e7f283c8badfa3c0a16c9c98f1f3cd887a7e74bc57b4db280d
SSDEEP

12288:4+d4na+Or3g4ADajEXYvu2XqbDjfTBc3VzF1bLbm8s3mjYyyTeH+:4++iU4ADaj6YmJbXfT23VRx7N8le+

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
3140	pEosgIws.exe
4568	nqYsIMgA.exe
3424	vWUkYkkU.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	pEosgIws.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pEosgIws.exe = "C:\\Users\\Admin\\UuEoEEYA\\pEosgIws.exe"	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nqYsIMgA.exe = "C:\\ProgramData\\YOYgwIYA\\nqYsIMgA.exe"	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pEosgIws.exe = "C:\\Users\\Admin\\UuEoEEYA\\pEosgIws.exe"	pEosgIws.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nqYsIMgA.exe = "C:\\ProgramData\\YOYgwIYA\\nqYsIMgA.exe"	nqYsIMgA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nqYsIMgA.exe = "C:\\ProgramData\\YOYgwIYA\\nqYsIMgA.exe"	vWUkYkkU.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sheProtectUninstall.mp3	pEosgIws.exe
File opened for modification	C:\Windows\SysWOW64\sheReceiveShow.pdf	pEosgIws.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\UuEoEEYA	vWUkYkkU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\UuEoEEYA\pEosgIws	vWUkYkkU.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	pEosgIws.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3184	Process not Found
1916	reg.exe
5296	reg.exe
5920	reg.exe
3564	reg.exe
5040	reg.exe
4668	reg.exe
4468	reg.exe
208	reg.exe
3144	reg.exe
4288	reg.exe
5220	reg.exe
1348	reg.exe
3136	Process not Found
692	reg.exe
2040	reg.exe
1540	reg.exe
4444	reg.exe
2272	reg.exe
3944	reg.exe
5812	reg.exe
2516	reg.exe
1652	reg.exe
808	reg.exe
2744	reg.exe
880	Process not Found
5220	reg.exe
3948	Process not Found
4068	reg.exe
5976	reg.exe
532	reg.exe
5072	reg.exe
4392	reg.exe
5956	reg.exe
4012	reg.exe
3844	reg.exe
5952	reg.exe
3100	reg.exe
3932	reg.exe
4212	reg.exe
4552	reg.exe
4092	reg.exe
4596	reg.exe
4212	reg.exe
1336	reg.exe
4416	reg.exe
6136	Process not Found
2988	reg.exe
4476	reg.exe
2340	reg.exe
1752	reg.exe
4496	reg.exe
4768	reg.exe
4756	reg.exe
908	reg.exe
2988	reg.exe
1304	reg.exe
5856	reg.exe
3172	Process not Found
5304	reg.exe
752	reg.exe
1464	reg.exe
5080	reg.exe
6120	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5024	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
5024	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
5024	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
5024	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
1856	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
1856	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
1856	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
1856	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
4532	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
4532	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
4532	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
4532	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
956	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
956	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
956	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
956	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
3844	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
3844	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
3844	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
3844	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
4260	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
4260	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
4260	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
4260	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
1364	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
1364	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
1364	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
1364	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
1472	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
1472	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
1472	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
1472	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
4212	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
4212	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
4212	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
4212	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
4456	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
4456	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
4456	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
4456	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
5036	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
5036	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
5036	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
5036	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
5424	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
5424	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
5424	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
5424	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
5560	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
5560	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
5560	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
5560	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
6140	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
6140	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
6140	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
6140	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
796	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
796	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
796	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
796	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
1380	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
1380	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
1380	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
1380	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3140	pEosgIws.exe
3140	pEosgIws.exe
3140	pEosgIws.exe
3140	pEosgIws.exe
3140	pEosgIws.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 3140	5024	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	81
PID 5024 wrote to memory of 3140	5024	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	81
PID 5024 wrote to memory of 3140	5024	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	81
PID 5024 wrote to memory of 4568	5024	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	82
PID 5024 wrote to memory of 4568	5024	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	82
PID 5024 wrote to memory of 4568	5024	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	82
PID 5024 wrote to memory of 3192	5024	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	84
PID 5024 wrote to memory of 3192	5024	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	84
PID 5024 wrote to memory of 3192	5024	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	84
PID 5024 wrote to memory of 2488	5024	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	87
PID 5024 wrote to memory of 2488	5024	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	87
PID 5024 wrote to memory of 2488	5024	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	87
PID 3192 wrote to memory of 1856	3192	cmd.exe	86
PID 3192 wrote to memory of 1856	3192	cmd.exe	86
PID 3192 wrote to memory of 1856	3192	cmd.exe	86
PID 5024 wrote to memory of 3916	5024	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	90
PID 5024 wrote to memory of 3916	5024	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	90
PID 5024 wrote to memory of 3916	5024	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	90
PID 5024 wrote to memory of 3556	5024	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	88
PID 5024 wrote to memory of 3556	5024	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	88
PID 5024 wrote to memory of 3556	5024	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	88
PID 1856 wrote to memory of 2340	1856	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	93
PID 1856 wrote to memory of 2340	1856	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	93
PID 1856 wrote to memory of 2340	1856	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	93
PID 2340 wrote to memory of 4532	2340	cmd.exe	95
PID 2340 wrote to memory of 4532	2340	cmd.exe	95
PID 2340 wrote to memory of 4532	2340	cmd.exe	95
PID 4532 wrote to memory of 4388	4532	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	96
PID 4532 wrote to memory of 4388	4532	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	96
PID 4532 wrote to memory of 4388	4532	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	96
PID 4388 wrote to memory of 956	4388	cmd.exe	98
PID 4388 wrote to memory of 956	4388	cmd.exe	98
PID 4388 wrote to memory of 956	4388	cmd.exe	98
PID 956 wrote to memory of 4144	956	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	99
PID 956 wrote to memory of 4144	956	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	99
PID 956 wrote to memory of 4144	956	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	99
PID 4144 wrote to memory of 3844	4144	cmd.exe	101
PID 4144 wrote to memory of 3844	4144	cmd.exe	101
PID 4144 wrote to memory of 3844	4144	cmd.exe	101
PID 3844 wrote to memory of 4596	3844	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	102
PID 3844 wrote to memory of 4596	3844	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	102
PID 3844 wrote to memory of 4596	3844	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	102
PID 4596 wrote to memory of 4260	4596	cmd.exe	104
PID 4596 wrote to memory of 4260	4596	cmd.exe	104
PID 4596 wrote to memory of 4260	4596	cmd.exe	104
PID 4260 wrote to memory of 2056	4260	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	105
PID 4260 wrote to memory of 2056	4260	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	105
PID 4260 wrote to memory of 2056	4260	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	105
PID 2056 wrote to memory of 1364	2056	cmd.exe	107
PID 2056 wrote to memory of 1364	2056	cmd.exe	107
PID 2056 wrote to memory of 1364	2056	cmd.exe	107
PID 1364 wrote to memory of 4876	1364	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	108
PID 1364 wrote to memory of 4876	1364	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	108
PID 1364 wrote to memory of 4876	1364	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	108
PID 4876 wrote to memory of 1472	4876	cmd.exe	110
PID 4876 wrote to memory of 1472	4876	cmd.exe	110
PID 4876 wrote to memory of 1472	4876	cmd.exe	110
PID 1472 wrote to memory of 2920	1472	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	111
PID 1472 wrote to memory of 2920	1472	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	111
PID 1472 wrote to memory of 2920	1472	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	111
PID 2920 wrote to memory of 4212	2920	cmd.exe	113
PID 2920 wrote to memory of 4212	2920	cmd.exe	113
PID 2920 wrote to memory of 4212	2920	cmd.exe	113
PID 4212 wrote to memory of 5056	4212	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe	114

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
"C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Users\Admin\UuEoEEYA\pEosgIws.exe
  "C:\Users\Admin\UuEoEEYA\pEosgIws.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of FindShellTrayWindow
  PID:3140
- C:\ProgramData\YOYgwIYA\nqYsIMgA.exe
  "C:\ProgramData\YOYgwIYA\nqYsIMgA.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
    C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2340
    - - C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4532
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        13⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        17⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        18⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        20⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        22⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqIkkkwM.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        20⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hooUUMco.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        18⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOAwQQMk.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        16⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYoQEwgs.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        14⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XuMYsAQQ.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        12⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SoksogQQ.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        10⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        Modifies registry key
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OsAosAQQ.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        8⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:5040
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4804
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1636
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:5000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uygssAkQ.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        6⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:5816
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HcAIgwIc.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
      4⤵
      PID:3488
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:5488
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:4344
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2520
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2488
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3556
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYsYwgoQ.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
  2⤵
  PID:5752

C:\ProgramData\dMskksgQ\vWUkYkkU.exe
C:\ProgramData\dMskksgQ\vWUkYkkU.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LcwoMgsk.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
1⤵
PID:744
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:5900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
1⤵
PID:4420
- C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
  C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
    3⤵
    PID:5504
  - - C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
      C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        5⤵
        
        PID:5808
      - C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        7⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        9⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        11⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        12⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        13⤵
        
        PID:5348
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        14⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYscsAEo.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        15⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        15⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        16⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        17⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        18⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        19⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        20⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        21⤵
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        22⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        23⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        24⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        25⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        26⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        27⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        28⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        29⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        30⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        31⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        32⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        33⤵
        
        PID:5568
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        34⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        35⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        36⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        37⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        38⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        39⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        40⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        41⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        42⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        43⤵
        
        PID:5656
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        44⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        45⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        46⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        47⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        48⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        49⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        50⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        51⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        52⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        53⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        54⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        55⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        56⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        57⤵
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        58⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        59⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        60⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        61⤵
        
        PID:5724
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        62⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        63⤵
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        64⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        65⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        66⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        67⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        68⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        69⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        70⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        71⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        72⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        73⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        74⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        75⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        76⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        77⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        78⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        79⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        80⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        81⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        82⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        83⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        84⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        85⤵
        
        PID:5876
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        86⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        87⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        88⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        89⤵
        
        PID:5520
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        90⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        91⤵
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        92⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        93⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        94⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        95⤵
        
        PID:5656
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        96⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        97⤵
        
        PID:6000
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        98⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        99⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        100⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        101⤵
        
        PID:5344
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        102⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        103⤵
        
        PID:5688
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        104⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        105⤵
        
        PID:5920
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        106⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        107⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        108⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        109⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        110⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        111⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        112⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        113⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        114⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        115⤵
        
        PID:5860
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        116⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        117⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        118⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        119⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        120⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        121⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        122⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        123⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        124⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        125⤵
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        126⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        127⤵
        
        PID:5184
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        128⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        129⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        130⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        131⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        132⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        133⤵
        
        PID:5520
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        134⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkoIoAoI.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        135⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        136⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        135⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        135⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        135⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        135⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        136⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        137⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        138⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMsEsQgE.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        139⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        140⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        139⤵
        UAC bypass
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        139⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        139⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        139⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DuQUUEcQ.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        137⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        138⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        138⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcccgUYo.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        139⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        139⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        139⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        139⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        139⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        137⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        137⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        137⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        133⤵
        UAC bypass
        
        PID:5604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        133⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        133⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACogcQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        133⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        134⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        131⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOgMEgEI.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        131⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        132⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        131⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        131⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmYMYAEw.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        129⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        130⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        129⤵
        UAC bypass
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        129⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        129⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qiYkgYYU.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        127⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        128⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        127⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        127⤵
        Modifies registry key
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        127⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sgUogUgM.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        125⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        126⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        125⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        125⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        125⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYUQMIoU.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        123⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        124⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        123⤵
        UAC bypass
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        123⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        123⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hakkcIQE.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        121⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        122⤵
        
        PID:580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        121⤵
        UAC bypass
        
        PID:5592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        121⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        121⤵
        
        PID:5696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOkcwAoE.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        119⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        120⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        119⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        119⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        119⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUkMQgEQ.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        117⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        118⤵
        
        PID:728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        117⤵
        UAC bypass
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        117⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        117⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        115⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUQowcsw.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        115⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        116⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        115⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        115⤵
        Modifies registry key
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        113⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        113⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyYwYkwQ.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        113⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        114⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        113⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEMwkUck.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        111⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        112⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        111⤵
        UAC bypass
        
        PID:5180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        111⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        111⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeAkQAoM.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        109⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        110⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        109⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        109⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        109⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bswQowcA.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        107⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        108⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        107⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        107⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        107⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        105⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        105⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQcUoAkE.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        105⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        106⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        105⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOQsUAYU.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        103⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        104⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        103⤵
        UAC bypass
        
        PID:5824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        103⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        103⤵
        Modifies registry key
        
        PID:5812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auscAAQE.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        101⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        102⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        101⤵
        UAC bypass
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        101⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        101⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQYwUwIA.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        99⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        100⤵
        
        PID:5052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        99⤵
        UAC bypass
        
        PID:5736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        99⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        99⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zekoUAEM.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        97⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        98⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        97⤵
        Modifies registry key
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        97⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        97⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        95⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uEokAwkQ.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        95⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        96⤵
        
        PID:5212
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        96⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        95⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        95⤵
        Modifies registry key
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWAQMsos.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        93⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        94⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        93⤵
        UAC bypass
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        93⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        93⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        91⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        92⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKMMYckk.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        93⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        93⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        93⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        93⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        93⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMEgIgwU.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        91⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        92⤵
        
        PID:3776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        92⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        91⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        91⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\taIQUcEY.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        89⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        90⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        89⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        89⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        89⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NgUMwwYo.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        87⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        88⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        88⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        87⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        87⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        87⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGsEQUIg.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        85⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        86⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        85⤵
        Modifies registry key
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        85⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        85⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIskwUsA.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        83⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        84⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        83⤵
        UAC bypass
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        83⤵
        
        PID:3696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        84⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        83⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\moAsEgAk.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        81⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        82⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        81⤵
        UAC bypass
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        81⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        81⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGMUEkEM.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        79⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        80⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        79⤵
        UAC bypass
        Modifies registry key
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        79⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        79⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\muQEswwc.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        77⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        78⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        77⤵
        Modifies registry key
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        77⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        77⤵
        Modifies registry key
        
        PID:1348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dsQcosEw.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        75⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        76⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        75⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        75⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        75⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CiQwwMkI.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        73⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        74⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        73⤵
        UAC bypass
        
        PID:6128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        73⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        73⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEIwskUA.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        72⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        72⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        71⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        71⤵
        Modifies registry key
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIsAYEYY.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        71⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        72⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        71⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        72⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        70⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKcAIcMc.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        69⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        70⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        69⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        69⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        69⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quIwMoEE.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        67⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        68⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        67⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        67⤵
        Modifies registry key
        
        PID:5956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        67⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YeksEcQY.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        65⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        66⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        65⤵
        UAC bypass
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        65⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        65⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        63⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQAQUIQE.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        63⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        64⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        63⤵
        UAC bypass
        
        PID:6052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        63⤵
        Modifies registry key
        
        PID:5976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psgoQIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        61⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        62⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        61⤵
        Modifies registry key
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        61⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqAAcAUk.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        62⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        62⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        61⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYocgMAA.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        59⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        60⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        59⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        59⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        59⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\leMwAEQg.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        57⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        58⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        57⤵
        UAC bypass
        
        PID:5916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        57⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        57⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        58⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        59⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmAsYAwE.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        59⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        59⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        59⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        59⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        56⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\isowUUcg.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        55⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        56⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        55⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        55⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        55⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        53⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        53⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        53⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YsQsAcws.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        53⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        54⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSwQwYMk.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        51⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        52⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        51⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        51⤵
        Modifies registry key
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        51⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYksskAk.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        49⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        50⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        49⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        49⤵
        Modifies registry key
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        49⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RocEgMcY.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        48⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        48⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        47⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mykosIsQ.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        47⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        48⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        47⤵
        UAC bypass
        Modifies registry key
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        47⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        45⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        45⤵
        Modifies registry key
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKssEAIw.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        45⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        46⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        45⤵
        UAC bypass
        
        PID:6068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psAkAAQM.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        43⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        44⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        43⤵
        Modifies registry key
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        43⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        43⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MyQoUwYA.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        41⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        42⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        41⤵
        UAC bypass
        
        PID:5256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        41⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        41⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PiwAEQoY.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        39⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        40⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        39⤵
        Modifies registry key
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        39⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        39⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hcscIkAQ.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        37⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        38⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        37⤵
        UAC bypass
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        37⤵
        Modifies registry key
        
        PID:5856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        37⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUYgUYcc.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        35⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        36⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        35⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        35⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        35⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCEAgosA.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        33⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        34⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        33⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        33⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        33⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ockUUkoY.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        31⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        32⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        31⤵
        UAC bypass
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        31⤵
        Modifies registry key
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        31⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGIEoQsU.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        29⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        30⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        29⤵
        UAC bypass
        
        PID:5316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        29⤵
        Modifies registry key
        
        PID:5220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        29⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        27⤵
        UAC bypass
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiYYgYUQ.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        27⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        28⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        27⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        27⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SoEYYMsU.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        25⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        26⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSocMooA.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        27⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        28⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        27⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        27⤵
        Modifies registry key
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        27⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:6120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        27⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        25⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        25⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        25⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKsAEYgY.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        23⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        24⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        23⤵
        UAC bypass
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        23⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        23⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MiEAskAg.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        21⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        22⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        21⤵
        UAC bypass
        
        PID:6100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        21⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        21⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        19⤵
        Modifies registry key
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqYgIskk.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        19⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        20⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        21⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        22⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        23⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        24⤵
        
        PID:5412
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        25⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        26⤵
        
        PID:5728
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        27⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        28⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        29⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        30⤵
        
        PID:480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        31⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        32⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        33⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        34⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        35⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        36⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        37⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        38⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        39⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        40⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        41⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        42⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        43⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        44⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        45⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        46⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        47⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        48⤵
        
        PID:5688
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        49⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        50⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        51⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        52⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        53⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        54⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        55⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        56⤵
        
        PID:5788
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        57⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        58⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        59⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        60⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        61⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        62⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        63⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        64⤵
        
        PID:6052
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        65⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        66⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        67⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        68⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        69⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        70⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        71⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        72⤵
        
        PID:5660
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        73⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        74⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        75⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYwccIkA.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        74⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEIgEwsU.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        72⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies registry key
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        Modifies registry key
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgIMYwkM.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        70⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AiscgkMA.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        68⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ioUoUAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        66⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKcIkwsk.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        64⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMsQAEUA.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        62⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies registry key
        
        PID:5220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OiIkUQYI.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        60⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lykIEMwg.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        58⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEAcAwAg.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        56⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqosIkQQ.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        54⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEEYQQsw.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        52⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIgsEAkA.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        50⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWIgkIgY.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        48⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MqIAEIYA.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        46⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScUossgk.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        44⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkYAkEAE.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        42⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        Modifies registry key
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwEUcUcw.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        40⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGEQUksM.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        38⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:5016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:5888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWkkIQUw.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        36⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGsosMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        34⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:4196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQoksQcs.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        32⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYsEUowQ.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        30⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMcIgAkc.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        28⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        UAC bypass
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKEwkIsE.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        26⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:5268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYggIoEA.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        24⤵
        
        PID:4388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        UAC bypass
        
        PID:5332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKcUkQwo.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        22⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies registry key
        
        PID:808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:5752
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        20⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        21⤵
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        22⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        23⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        24⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISMYAIQc.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        23⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        23⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        23⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        23⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gcAYwgkY.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        21⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        22⤵
        
        PID:2280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        19⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        19⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGAMUYsg.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        17⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        18⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        17⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        17⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        17⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCgggIEo.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        13⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        Modifies registry key
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        UAC bypass
        Modifies registry key
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dcgkgckc.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        11⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies registry key
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWYkMIog.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        9⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        UAC bypass
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wicMMEYE.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        7⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        
        PID:5040
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:5952
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:5960
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:5968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\focgcUsI.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        5⤵
        
        PID:5976
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:4020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        5⤵
        
        PID:428
      - C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        6⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FiQwUMwE.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        7⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        7⤵
        
        PID:6092
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:5544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUMEkMAg.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        5⤵
        
        PID:4176
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:2340
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:3512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOIMgYoI.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
    3⤵
    PID:5600
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:5944
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:5592
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:5584
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:5576

C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
1⤵
PID:5848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCYQggQk.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
  2⤵
  PID:1032
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1856
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5592
- - C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
    C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
    3⤵
    PID:4512
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5992
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
  2⤵
  PID:5872

C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
1⤵
PID:3924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
  2⤵
  PID:4540
- - C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
    C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
    3⤵
    PID:5568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
      4⤵
      PID:2700
    - - C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        5⤵
        
        PID:5640
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        6⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        7⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        8⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQwQwkoc.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        8⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3580
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:2344
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSUMkIYY.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        6⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        7⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qokgowgg.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        8⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        8⤵
        
        PID:4708
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:3884
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1836
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:4416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKIMsIYE.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
      4⤵
      PID:1804
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:5384
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:5772
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:5884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKAQcQog.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
  2⤵
  PID:5932
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5480
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2808
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2640
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2504

C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
1⤵
PID:1556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
  2⤵
  PID:1524
- - C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
    C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
    3⤵
    PID:636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmQoEQkw.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
      4⤵
      PID:4108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEcIQUgU.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
  2⤵
  PID:5540
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5628
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mgsEIQYA.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
  2⤵
  PID:368
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1052
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2984
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5348
- - C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
    C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
    3⤵
    PID:2236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
  2⤵
  PID:5592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYscQEwg.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
1⤵
PID:6040

C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
1⤵
PID:404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
  2⤵
  PID:5792
- - C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
    C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
    3⤵
    PID:5276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGIEEogo.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
  2⤵
  PID:6004
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5496
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:752
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
1⤵
PID:5708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKosooYs.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:952
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:5220
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:5392
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5780
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:5304
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:5856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
  2⤵
  PID:5164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
1⤵
PID:4988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
  2⤵
  PID:1852
- - C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
    C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
    3⤵
    PID:2460
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSEEcgQU.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
      4⤵
      PID:4136
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4956
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1460
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:5756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
      4⤵
      PID:6076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqAIcAAA.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
  2⤵
  PID:6000
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:928
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:764
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5748
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1820

C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
1⤵
PID:1512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
  2⤵
  PID:5124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuAcsMEg.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
  2⤵
  PID:1808
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:732
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4200
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5696
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:5052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
1⤵
PID:5196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZuQMUwAI.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
  2⤵
  PID:2308
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5332
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:5296
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
  2⤵
  PID:1220

C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
1⤵
PID:4140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
  2⤵
  PID:6088
- - C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
    C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
    3⤵
    PID:3312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
      4⤵
      PID:2280
    - - C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        5⤵
        
        PID:4192
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        6⤵
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
        
        C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
        7⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wukgIsIU.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        8⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
        8⤵
        
        PID:5864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuYwksUs.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
        6⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:532
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:2828
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3760
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:5204
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWQMUoMU.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
      4⤵
      PID:3372
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3712
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3484
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:5520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYoQQook.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
  2⤵
  PID:4488
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DeIgkkIo.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
      4⤵
      PID:5104
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2660
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:5920
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
      4⤵
      PID:2276
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:4496
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5768
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmkUsMYY.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
1⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
1⤵
PID:4876
- C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
  C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
  2⤵
  PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIYEcAAo.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
    3⤵
    PID:2640
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:5960
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:5124
  - - C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
      C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
      4⤵
      PID:5560
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:5832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
    3⤵
    PID:6004
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:5240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSEIYssk.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
1⤵
PID:4200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
1⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
1⤵
PID:1260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5632

C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
1⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
1⤵
PID:5108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:5948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:636
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3464
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5808
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
  2⤵
  PID:5348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCksEcAY.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
1⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
1⤵
PID:3476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6
1⤵
PID:4336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUowUwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6.exe""
1⤵
PID:5720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:6036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
1⤵
PID:1552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:5440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6"
1⤵
PID:1980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\YOYgwIYA\nqYsIMgA.exe

Filesize
433KB

MD5
142a76ae980a29a95b357e434230949f

SHA1
e362e9e9d076de4885d0b32e830ff590ced13aec

SHA256
13e6b468ae1816ba72ded1b00a85c5e977002d01935949d28cfc0eb78d3bcc30

SHA512
cabc1821031f18ad79b5a306e643d9f82d7610063624d71c68c47f609e62b526705ff7ae68836e3e3bb2b64c34ed7c5c5a8463f6c5f5e29d6b937f826e919851

Download Submit
C:\ProgramData\YOYgwIYA\nqYsIMgA.exe

Filesize
433KB

MD5
142a76ae980a29a95b357e434230949f

SHA1
e362e9e9d076de4885d0b32e830ff590ced13aec

SHA256
13e6b468ae1816ba72ded1b00a85c5e977002d01935949d28cfc0eb78d3bcc30

SHA512
cabc1821031f18ad79b5a306e643d9f82d7610063624d71c68c47f609e62b526705ff7ae68836e3e3bb2b64c34ed7c5c5a8463f6c5f5e29d6b937f826e919851

Download Submit
C:\ProgramData\dMskksgQ\vWUkYkkU.exe

Filesize
435KB

MD5
eea045491b5b0c1d45202a8d79a9d21f

SHA1
6aef5e25693e6701102aa70354c303996241c991

SHA256
b905b72c1186ff8932a1a2c98a66e9f12c137326c554b0f805e520cb9a7b663f

SHA512
14cf7281a135df1a9330d9d8ede33a6cdedd4eb6a070b5f41471b4e179b07d6e03c7e60e51e8c19fc524cb20464ba6a03d041a1cced28128092212d9b8ba90ef

Download Submit
C:\ProgramData\dMskksgQ\vWUkYkkU.exe

Filesize
435KB

MD5
eea045491b5b0c1d45202a8d79a9d21f

SHA1
6aef5e25693e6701102aa70354c303996241c991

SHA256
b905b72c1186ff8932a1a2c98a66e9f12c137326c554b0f805e520cb9a7b663f

SHA512
14cf7281a135df1a9330d9d8ede33a6cdedd4eb6a070b5f41471b4e179b07d6e03c7e60e51e8c19fc524cb20464ba6a03d041a1cced28128092212d9b8ba90ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9744476e066b90044db4fa5f501c4670c0ba3dc03dc07ee43fcb6ba140a741c6

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCgggIEo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dcgkgckc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcAIgwIc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KWYkMIog.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LcwoMgsk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MiEAskAg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OGAMUYsg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsAosAQQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKsAEYgY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoEYYMsU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoksogQQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XuMYsAQQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqYgIskk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqIkkkwM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eiYYgYUQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\focgcUsI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\hYoQEwgs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\hooUUMco.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lOIMgYoI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYscsAEo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uygssAkQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wicMMEYE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zOAwQQMk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\UuEoEEYA\pEosgIws.exe

Filesize
434KB

MD5
6e95a67eda4d781c4b3b0162502373eb

SHA1
d7475bd48339db770c0b43f44910552bb90b3174

SHA256
9b40a931ab579662c2500ad76ca1f44b02337f8f9e52d8baebae958be09f91af

SHA512
01e1d0d5e19c1ee81516bde6933d88a73a91c73cd319ba97c19b81afb147286575a03e4bb889d3f25a515e45a97f6e7855554f3074e2ef1f79599887d324119b

Download Submit
C:\Users\Admin\UuEoEEYA\pEosgIws.exe

Filesize
434KB

MD5
6e95a67eda4d781c4b3b0162502373eb

SHA1
d7475bd48339db770c0b43f44910552bb90b3174

SHA256
9b40a931ab579662c2500ad76ca1f44b02337f8f9e52d8baebae958be09f91af

SHA512
01e1d0d5e19c1ee81516bde6933d88a73a91c73cd319ba97c19b81afb147286575a03e4bb889d3f25a515e45a97f6e7855554f3074e2ef1f79599887d324119b

Download Submit
memory/580-307-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/796-265-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/880-316-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/956-163-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/956-227-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1316-322-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1316-321-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1364-176-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1364-231-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1380-269-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1380-270-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1472-177-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1472-317-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1472-224-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1504-311-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1504-310-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1856-150-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1856-217-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2444-276-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2444-278-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2460-301-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2460-299-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3140-142-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3140-185-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3216-308-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3216-309-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3424-144-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3492-305-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3492-303-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3844-228-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3844-165-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4176-277-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4176-273-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4212-178-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4212-230-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4260-226-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4260-175-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4440-323-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4456-232-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4456-184-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4532-229-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4532-162-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4568-143-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4568-186-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4740-284-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4804-315-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4804-314-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5024-141-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5024-132-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5036-236-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5036-239-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5104-313-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5424-252-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5432-287-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5432-289-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5548-320-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5560-253-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5560-257-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5608-312-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5644-318-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5644-319-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5736-293-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/6036-297-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/6140-261-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download