6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b

Analysis

max time kernel
190s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
Size

447KB
MD5

73f9af26ca6b395200133e11a0699b30
SHA1

2b14b8174a604d464e1d04d09a76186533b1a6d4
SHA256

6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
SHA512

a512f62e37adf304878b8597ba105ed26d4d68b80e4d18217e864d18939a19b1d0638f95d17a6074a7ac275424cdfaa2fc324e11b9faf55054e32b04b44cc7d1
SSDEEP

6144:HVcOg2m1np42Xvc7M9IqBJnOqZCQmRpzc9BX6Tk0MzYRKK/O0LqgrQepCYtWYWR:1cOg2Ga2fymDt4Drof6TkVfgrppC8T+

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2632	GiAcEwEQ.exe
4704	kUIAgQAk.exe
3560	ACwkAwwU.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kUIAgQAk.exe = "C:\\ProgramData\\LEIYwQUU\\kUIAgQAk.exe"	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kUIAgQAk.exe = "C:\\ProgramData\\LEIYwQUU\\kUIAgQAk.exe"	kUIAgQAk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kUIAgQAk.exe = "C:\\ProgramData\\LEIYwQUU\\kUIAgQAk.exe"	ACwkAwwU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GiAcEwEQ.exe = "C:\\Users\\Admin\\rCIAgIgM\\GiAcEwEQ.exe"	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GiAcEwEQ.exe = "C:\\Users\\Admin\\rCIAgIgM\\GiAcEwEQ.exe"	GiAcEwEQ.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\rCIAgIgM	ACwkAwwU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\rCIAgIgM\GiAcEwEQ	ACwkAwwU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2504	reg.exe
4780	reg.exe
964	reg.exe
4104	reg.exe
436	Process not Found
1140	Process not Found
400	reg.exe
3532	reg.exe
5048	reg.exe
2940	reg.exe
4820	reg.exe
3012	reg.exe
3576	reg.exe
1364	reg.exe
4744	reg.exe
4316	reg.exe
3684	reg.exe
4496	reg.exe
3420	Process not Found
396	reg.exe
1476	Process not Found
4744	reg.exe
2524	reg.exe
208	reg.exe
4572	reg.exe
5008	reg.exe
3508	reg.exe
4032	reg.exe
3380	reg.exe
3920	reg.exe
2760	reg.exe
1004	reg.exe
1200	reg.exe
5012	Process not Found
4120	reg.exe
5096	reg.exe
3652	reg.exe
4228	reg.exe
3908	reg.exe
4324	reg.exe
3672	reg.exe
1896	Process not Found
3652	Process not Found
400	Process not Found
5000	reg.exe
4120	reg.exe
5116	reg.exe
1380	reg.exe
808	Process not Found
608	reg.exe
3988	reg.exe
2352	Process not Found
4296	reg.exe
2356	Process not Found
2312	Process not Found
3116	reg.exe
3488	reg.exe
4668	reg.exe
4920	reg.exe
4444	reg.exe
4272	reg.exe
4476	reg.exe
4032	reg.exe
2428	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4156	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4156	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4156	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4156	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
3476	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
3476	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
3476	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
3476	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
2444	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
2444	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
2444	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
2444	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4324	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4324	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4324	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4324	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4068	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4068	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4068	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4068	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4940	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4940	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4940	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4940	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
2688	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
2688	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
2688	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
2688	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
1756	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
1756	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
1756	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
1756	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4984	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4984	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4984	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4984	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4180	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4180	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4180	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4180	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
1660	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
1660	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
1660	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
1660	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
5088	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
5088	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
5088	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
5088	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
888	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
888	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
888	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
888	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
3180	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
3180	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
3180	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
3180	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
1184	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
1184	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
1184	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
1184	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4048	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4048	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4048	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
4048	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 2632	4156	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	84
PID 4156 wrote to memory of 2632	4156	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	84
PID 4156 wrote to memory of 2632	4156	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	84
PID 4156 wrote to memory of 4704	4156	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	85
PID 4156 wrote to memory of 4704	4156	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	85
PID 4156 wrote to memory of 4704	4156	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	85
PID 4156 wrote to memory of 3392	4156	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	128
PID 4156 wrote to memory of 3392	4156	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	128
PID 4156 wrote to memory of 3392	4156	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	128
PID 3392 wrote to memory of 3476	3392	cmd.exe	94
PID 3392 wrote to memory of 3476	3392	cmd.exe	94
PID 3392 wrote to memory of 3476	3392	cmd.exe	94
PID 4156 wrote to memory of 208	4156	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	93
PID 4156 wrote to memory of 208	4156	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	93
PID 4156 wrote to memory of 208	4156	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	93
PID 4156 wrote to memory of 220	4156	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	92
PID 4156 wrote to memory of 220	4156	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	92
PID 4156 wrote to memory of 220	4156	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	92
PID 4156 wrote to memory of 4804	4156	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	90
PID 4156 wrote to memory of 4804	4156	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	90
PID 4156 wrote to memory of 4804	4156	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	90
PID 3476 wrote to memory of 2208	3476	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	96
PID 3476 wrote to memory of 2208	3476	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	96
PID 3476 wrote to memory of 2208	3476	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	96
PID 2208 wrote to memory of 2444	2208	cmd.exe	127
PID 2208 wrote to memory of 2444	2208	cmd.exe	127
PID 2208 wrote to memory of 2444	2208	cmd.exe	127
PID 3476 wrote to memory of 4984	3476	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	97
PID 3476 wrote to memory of 4984	3476	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	97
PID 3476 wrote to memory of 4984	3476	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	97
PID 3476 wrote to memory of 3628	3476	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	126
PID 3476 wrote to memory of 3628	3476	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	126
PID 3476 wrote to memory of 3628	3476	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	126
PID 3476 wrote to memory of 4656	3476	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	98
PID 3476 wrote to memory of 4656	3476	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	98
PID 3476 wrote to memory of 4656	3476	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	98
PID 3476 wrote to memory of 3348	3476	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	101
PID 3476 wrote to memory of 3348	3476	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	101
PID 3476 wrote to memory of 3348	3476	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	101
PID 2444 wrote to memory of 5080	2444	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	104
PID 2444 wrote to memory of 5080	2444	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	104
PID 2444 wrote to memory of 5080	2444	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	104
PID 5080 wrote to memory of 4324	5080	cmd.exe	103
PID 5080 wrote to memory of 4324	5080	cmd.exe	103
PID 5080 wrote to memory of 4324	5080	cmd.exe	103
PID 2444 wrote to memory of 4652	2444	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	123
PID 2444 wrote to memory of 4652	2444	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	123
PID 2444 wrote to memory of 4652	2444	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	123
PID 2444 wrote to memory of 4124	2444	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	113
PID 2444 wrote to memory of 4124	2444	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	113
PID 2444 wrote to memory of 4124	2444	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	113
PID 2444 wrote to memory of 4236	2444	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	109
PID 2444 wrote to memory of 4236	2444	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	109
PID 2444 wrote to memory of 4236	2444	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	109
PID 2444 wrote to memory of 2316	2444	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	105
PID 2444 wrote to memory of 2316	2444	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	105
PID 2444 wrote to memory of 2316	2444	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	105
PID 4324 wrote to memory of 3652	4324	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	111
PID 4324 wrote to memory of 3652	4324	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	111
PID 4324 wrote to memory of 3652	4324	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	111
PID 3652 wrote to memory of 4068	3652	cmd.exe	114
PID 3652 wrote to memory of 4068	3652	cmd.exe	114
PID 3652 wrote to memory of 4068	3652	cmd.exe	114
PID 4324 wrote to memory of 3532	4324	6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe	122

C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
"C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Users\Admin\rCIAgIgM\GiAcEwEQ.exe
  "C:\Users\Admin\rCIAgIgM\GiAcEwEQ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2632
- C:\ProgramData\LEIYwQUU\kUIAgQAk.exe
  "C:\ProgramData\LEIYwQUU\kUIAgQAk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4704
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4804
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:220
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3392

C:\ProgramData\TcAogUkg\ACwkAwwU.exe
C:\ProgramData\TcAogUkg\ACwkAwwU.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3560

C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
    C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2444
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4984
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgcUQkIE.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
  2⤵
  PID:3348
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1680
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3628

C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
    C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
      4⤵
      PID:5040
    - - C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        6⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        8⤵
        
        PID:204
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        10⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        12⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        14⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        16⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        18⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        20⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        22⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        24⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        26⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        27⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        28⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        29⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        30⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        31⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        32⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        33⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOcEUksg.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        34⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        34⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        35⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        36⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        37⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        38⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        39⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        40⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        41⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        42⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        43⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        44⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        45⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        46⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        47⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        48⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        49⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        50⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        51⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        52⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        53⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        54⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        55⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        56⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        57⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        58⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        59⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        60⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        61⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        62⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        63⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        64⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        65⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        66⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        67⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        68⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        69⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        70⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        71⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        72⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        73⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        74⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        75⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        76⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        77⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        78⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        79⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        80⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        81⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        82⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        83⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        84⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        85⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        86⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        87⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        88⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        89⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        90⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        91⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        92⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        93⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        94⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        95⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        96⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        97⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        98⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        99⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        100⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        101⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        102⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        103⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        104⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        105⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        106⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        107⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        108⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        109⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        110⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        111⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        112⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        113⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        114⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        115⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        116⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        117⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        118⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        119⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        120⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        121⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        122⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        123⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        124⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        125⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        126⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        127⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        128⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        129⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        130⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        131⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        132⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        133⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        134⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        135⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        136⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        137⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        138⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        139⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        140⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        141⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        142⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        143⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        144⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        145⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        146⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        147⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        148⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        149⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        150⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        151⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        152⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        153⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        154⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        155⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        156⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        157⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        158⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        159⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        160⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        161⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        162⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        163⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        164⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        165⤵
        
        PID:204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        166⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        167⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        168⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        169⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        170⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        171⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        172⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        173⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        174⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        175⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        176⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        177⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        178⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        179⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        180⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        181⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        182⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        183⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        184⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        185⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        186⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        187⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        188⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        189⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        190⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        191⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        192⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        193⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        194⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        195⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        196⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        197⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        198⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        199⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        200⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        201⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        202⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        203⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        204⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        205⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        206⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        207⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        208⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        209⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        210⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        211⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        212⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        213⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        214⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        215⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        216⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        217⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        218⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        219⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        220⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        221⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        222⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        223⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        224⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        225⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        226⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        227⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        228⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        229⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        230⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        231⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        232⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        233⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        234⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        235⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        236⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        237⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        238⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        239⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        240⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        241⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        242⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        243⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        244⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        245⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        246⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        247⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        248⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        249⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        250⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        251⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        252⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        253⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        254⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        255⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        256⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        257⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        258⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        259⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        260⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        261⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        262⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        263⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        264⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        265⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        266⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        267⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        268⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        269⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        270⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        271⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        272⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        273⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        274⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        275⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        276⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        277⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        278⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        279⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        280⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        281⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        282⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        283⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        284⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        285⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
        286⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b
        287⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkggcUkM.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        286⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        287⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        286⤵
        UAC bypass
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        286⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        286⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        284⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        284⤵
        UAC bypass
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOwYsgkE.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        284⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        285⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        284⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmoUcYQo.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        282⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        283⤵
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        282⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        282⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        282⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEUsYYAA.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        280⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        281⤵
        
        PID:204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        280⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        280⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        280⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKgQkEMY.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        278⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        279⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        278⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        278⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        278⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwAoAoIc.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        276⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        277⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        276⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        276⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        276⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgwUQsAc.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        274⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        275⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        274⤵
        UAC bypass
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        274⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        274⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bisAMooA.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        272⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        273⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        272⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        272⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        272⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgsswYIM.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        270⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        271⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        270⤵
        Modifies registry key
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        270⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWogQMEI.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        268⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        269⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        UAC bypass
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skEcIscU.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        266⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        267⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAIMkUkI.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        264⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        Modifies registry key
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQcgQoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        262⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GuYkQkUk.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        260⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        UAC bypass
        Modifies registry key
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMUIgsMk.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        258⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YisUUwII.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        256⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JSckMMYw.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        254⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        Modifies registry key
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZsMYMgsQ.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        252⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUIcscEU.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        250⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jSkEkIkA.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        248⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        UAC bypass
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOYkQcwQ.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        246⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oIgAMsoA.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        244⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vSkEIgsU.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        242⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUIgUkoc.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        240⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies registry key
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWIkQUUw.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        238⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGQowMgI.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        236⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        Modifies registry key
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCUAokwc.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        234⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqgQgAIE.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        232⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngQMgYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        230⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        Modifies registry key
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUAMUEIM.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        228⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAIwgsYA.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        226⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies registry key
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGoIgYwM.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        224⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msgEswQE.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        222⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsEUAQYg.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        220⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAEwQggQ.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        218⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcsIUEYg.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        216⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TewIgcMA.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        214⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        Modifies registry key
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uEQsgkgI.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        212⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGgggIUI.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        210⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bukIgUkg.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        208⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies registry key
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEoIYMME.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        206⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOkEIQMo.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        204⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQwgQkYU.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        202⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGYAwEcg.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        200⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xucgQUMM.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        198⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        Modifies registry key
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWEMYAwg.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        196⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        Modifies registry key
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKAscgEk.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        194⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        Modifies registry key
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGckMoAo.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        192⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwUAssEg.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        190⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tGkYwMYU.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        188⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        Modifies registry key
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQwosEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        186⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PggosIUY.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        184⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        Modifies registry key
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        Modifies registry key
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGcAAwoo.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        182⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JKUAcsAw.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        180⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ayoccYos.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        178⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        Modifies registry key
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuowEwkY.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        176⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwEIAsQw.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        174⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JscUQowc.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        172⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skwksosQ.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        170⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        Modifies registry key
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIkQQskM.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        168⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGksEwME.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        166⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYMEkkwk.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        164⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        Modifies registry key
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQYMkYkI.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        162⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pugooEcc.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        160⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUEsocgc.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        158⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYMUwgsg.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        156⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ToUEcMQU.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        154⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGMUQMYo.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        152⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hiEkUMUc.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        150⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQUcowIw.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        148⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        Modifies registry key
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        Modifies registry key
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECowIMMY.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        146⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmAcAokE.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        144⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcoUYEMA.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        142⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        Modifies registry key
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMcAocIs.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        140⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        Modifies registry key
        
        PID:608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSMEIoco.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        138⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGMgMAUA.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        136⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qggQAYss.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        134⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwEYUogo.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        132⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCAUgMQY.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        130⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        Modifies registry key
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RswEIUEw.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        128⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icIIQYgk.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        126⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmosYswo.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        124⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies registry key
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOwMUMgE.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        122⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oicYAQUE.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        120⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies registry key
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAUIkskY.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        118⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUQAgwYs.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        116⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsgoAEEM.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        114⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSIEgAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        112⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baQAAMgc.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        110⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        Modifies registry key
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMIgocQA.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        108⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wiQgwIYM.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        106⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISgUUkAU.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        104⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOkcwAMI.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        102⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkggMMAo.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        100⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCYEEgoc.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        98⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zyMUIAog.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        96⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LEEAAkMk.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        94⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        Modifies registry key
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\desAMogM.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        92⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqwkMcIU.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        90⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecUgwQYM.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        88⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUUMMcQk.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        86⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vQIwUcok.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        84⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NeYYscwo.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        82⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSkAIcoQ.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        80⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYAwMEQk.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        78⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        Modifies registry key
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCwUkQQk.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        76⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSoMYskg.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        74⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAEUkQYU.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        72⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        Modifies registry key
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oMwAoosY.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        70⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BiMwsQoc.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        68⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zosUMsUs.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        66⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fOkEYUcQ.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        64⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\woAwcYIk.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        62⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQAUkkIw.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        60⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQEIAAQg.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        58⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECkAIoIU.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        56⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies registry key
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGwIYkMs.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        54⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuYQwMEY.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        52⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaAoQskw.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        50⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jeEMcEUs.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        48⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imEsocwk.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        46⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pagAckgI.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        44⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CMUEsEUU.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        42⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        Modifies registry key
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmcIgkQQ.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        40⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOcMUQMo.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        38⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fcUAAAsA.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        36⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIMcAwwA.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        32⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bokwgwwc.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        30⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UeMsoYIo.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        28⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCwYAQks.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        26⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKEgQYgw.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        24⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owIcwwEE.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        22⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EMUEsMIg.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        20⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgksIkgw.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        18⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NgMQEwgM.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        16⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSEoswkA.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        14⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AgYwsYoc.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        12⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKMkEQsc.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        10⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUIYMkcc.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        8⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2640
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:544
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4920
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:5052
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqkQMMco.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
        6⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1316
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:2524
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4912
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQwkAoos.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
      4⤵
      PID:5076
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4072
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZygYcoEw.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
  2⤵
  PID:4064
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4068
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1580
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b"
1⤵
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUYkgkAs.bat" "C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b.exe""
1⤵
PID:2316
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\LEIYwQUU\kUIAgQAk.exe

Filesize
432KB

MD5
a3f602f45e6864deb57a3ec5b15d4da4

SHA1
55863999bfd17c3a26f707e35d0f0db353255f53

SHA256
92dbabb5c4729e66ba353e8ddfe3a1b2fcdae8d2542f60972374ca90998753d2

SHA512
671414c117e3a589d44b3bd098799ab66a4dc020e3de40b0e18e8e704d72c8197743f04ae0d37c6a8c88e4fec8a71ec1344632c7af7a07e5d5f2abe2210012eb

Download Submit
C:\ProgramData\LEIYwQUU\kUIAgQAk.exe

Filesize
432KB

MD5
a3f602f45e6864deb57a3ec5b15d4da4

SHA1
55863999bfd17c3a26f707e35d0f0db353255f53

SHA256
92dbabb5c4729e66ba353e8ddfe3a1b2fcdae8d2542f60972374ca90998753d2

SHA512
671414c117e3a589d44b3bd098799ab66a4dc020e3de40b0e18e8e704d72c8197743f04ae0d37c6a8c88e4fec8a71ec1344632c7af7a07e5d5f2abe2210012eb

Download Submit
C:\ProgramData\TcAogUkg\ACwkAwwU.exe

Filesize
429KB

MD5
de1530ec17ff5b25ca4249a9bf99ab22

SHA1
6eae87dffe3513d0f8c8ebc4e801d8019a883409

SHA256
e0b0a2b5298fe00176f6e80f9299a727be2216da0a4ef13c32db6240a7c51073

SHA512
8cf1fd3c67913862c75b73994bdd063d049c10d3928fb54f38b7a26001f67a626d021b45a0213e2c84bc3f892f98ae4653d37578adc1672ad2b50a93e6a8856c

Download Submit
C:\ProgramData\TcAogUkg\ACwkAwwU.exe

Filesize
429KB

MD5
de1530ec17ff5b25ca4249a9bf99ab22

SHA1
6eae87dffe3513d0f8c8ebc4e801d8019a883409

SHA256
e0b0a2b5298fe00176f6e80f9299a727be2216da0a4ef13c32db6240a7c51073

SHA512
8cf1fd3c67913862c75b73994bdd063d049c10d3928fb54f38b7a26001f67a626d021b45a0213e2c84bc3f892f98ae4653d37578adc1672ad2b50a93e6a8856c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dd2bb6b8ab1bec7900b8e64cd9dddfaa286ff6f9662513588eb9285f4ae4a4b

Filesize
6KB

MD5
96b5a5aa81cddc217e02a83da419a8ea

SHA1
2f005ac25837210b71780fbf0d44b1b1da873749

SHA256
50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c

SHA512
bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgYwsYoc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bokwgwwc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMUEsMIg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\FOcMUQMo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIMcAwwA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NgMQEwgM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PgcUQkIE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSEoswkA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UeMsoYIo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VqkQMMco.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZygYcoEw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKMkEQsc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcUAAAsA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQwkAoos.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\jUYkgkAs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lCwYAQks.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mOcEUksg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\owIcwwEE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgksIkgw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vUIYMkcc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wKEgQYgw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\rCIAgIgM\GiAcEwEQ.exe

Filesize
434KB

MD5
9d9061a29f96b6da55b1c86d68878c09

SHA1
540c70df990d7df4fbc017472eef0bb22f3895eb

SHA256
de96c7f5a7df63e73519bd0d4f626d3b3584a840544ce927a6f088f07d545c70

SHA512
ccc1918b4ced3422045c9bb6abfcbca94730faaea03900bceb8f530ef4ccaea3a1380de1ba40f2ff7f65c70cdbeafd6fe2a3f8275af37ab1e971e7877fb33500

Download Submit
C:\Users\Admin\rCIAgIgM\GiAcEwEQ.exe

Filesize
434KB

MD5
9d9061a29f96b6da55b1c86d68878c09

SHA1
540c70df990d7df4fbc017472eef0bb22f3895eb

SHA256
de96c7f5a7df63e73519bd0d4f626d3b3584a840544ce927a6f088f07d545c70

SHA512
ccc1918b4ced3422045c9bb6abfcbca94730faaea03900bceb8f530ef4ccaea3a1380de1ba40f2ff7f65c70cdbeafd6fe2a3f8275af37ab1e971e7877fb33500

Download Submit
memory/8-321-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/220-275-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/220-276-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/888-258-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/888-256-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1068-311-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1068-310-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1184-263-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1184-267-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1512-307-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1512-306-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1632-309-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1660-249-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1756-212-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1756-204-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1808-308-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2152-322-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2220-301-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2352-292-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2352-295-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2444-164-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2632-176-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2632-136-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2644-304-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2688-203-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2688-197-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3172-319-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3172-320-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3180-262-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3476-156-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3560-143-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3560-178-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3576-284-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3576-286-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3764-318-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3780-313-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3836-316-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4048-271-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4068-186-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4068-172-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4124-323-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4156-132-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4156-175-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4172-315-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4172-314-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4180-228-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4180-243-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4324-174-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4324-303-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4324-302-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4324-171-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4408-317-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4628-288-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4704-142-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4704-177-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4844-305-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4868-282-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4868-280-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4940-194-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4984-235-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4984-218-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/5064-312-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/5080-298-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/5088-253-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download