8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9

Analysis

max time kernel
174s
max time network
213s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2022 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
Size

564KB
MD5

96608674a01049b54cc2d6d451a86740
SHA1

0418d229cefc24cf1524943ec58b0282ef5cf8ca
SHA256

8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
SHA512

c591ea310da69997484664f4f13ce7e92ea4f52f4653606ac95a7316d2bfc06afda619ab538bf84a14cacff664622e66df8c704d0f27b3000a7cdeeaa70648c0
SSDEEP

12288:uTp9LIfVF9ZSUpPqIpPPuc5DYXeoJKtm3Y6OFvgt6Yf:UbLouUpCcPj5DqeGKxFvgt6m

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\tAQsIYQc\\PasYMUkw.exe,"	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\tAQsIYQc\\PasYMUkw.exe,"	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
4004	dsAoosUE.exe
2172	PasYMUkw.exe
2324	ggUwYkoc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dsAoosUE.exe = "C:\\Users\\Admin\\YQQAIkQo\\dsAoosUE.exe"	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dsAoosUE.exe = "C:\\Users\\Admin\\YQQAIkQo\\dsAoosUE.exe"	dsAoosUE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PasYMUkw.exe = "C:\\ProgramData\\tAQsIYQc\\PasYMUkw.exe"	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PasYMUkw.exe = "C:\\ProgramData\\tAQsIYQc\\PasYMUkw.exe"	PasYMUkw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PasYMUkw.exe = "C:\\ProgramData\\tAQsIYQc\\PasYMUkw.exe"	ggUwYkoc.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\YQQAIkQo	ggUwYkoc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\YQQAIkQo\dsAoosUE	ggUwYkoc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2796	reg.exe
3964	reg.exe
320	reg.exe
2448	reg.exe
2976	reg.exe
1992	reg.exe
1520	reg.exe
4884	reg.exe
2552	reg.exe
5112	reg.exe
4684	reg.exe
4640	reg.exe
5092	reg.exe
3556	reg.exe
3324	reg.exe
5064	reg.exe
1512	reg.exe
3048	reg.exe
3400	reg.exe
3644	reg.exe
3452	reg.exe
3604	reg.exe
1876	reg.exe
712	reg.exe
4984	reg.exe
2088	reg.exe
1904	reg.exe
972	reg.exe
1564	reg.exe
3704	reg.exe
1092	reg.exe
3232	reg.exe
3460	reg.exe
3772	reg.exe
3864	reg.exe
544	reg.exe
5064	reg.exe
1092	reg.exe
1260	reg.exe
1812	reg.exe
2760	reg.exe
3312	reg.exe
4248	reg.exe
3800	reg.exe
3200	reg.exe
1360	reg.exe
3368	reg.exe
3736	reg.exe
4628	reg.exe
1804	reg.exe
2892	reg.exe
3804	reg.exe
3044	reg.exe
5008	reg.exe
4232	reg.exe
3860	reg.exe
1012	reg.exe
4336	reg.exe
3592	reg.exe
1976	reg.exe
2180	reg.exe
3736	reg.exe
2088	reg.exe
1220	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2424	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
2424	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
2424	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
2424	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
2808	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
2808	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
2808	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
2808	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
4952	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
4952	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
4952	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
4952	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
2020	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
2020	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
2020	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
2020	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
2180	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
2180	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
2180	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
2180	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
1772	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
1772	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
1772	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
1772	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
3836	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
3836	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
3836	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
3836	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
1520	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
1520	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
1520	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
1520	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
3720	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
3720	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
3720	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
3720	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
1632	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
1632	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
1632	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
1632	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
2004	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
2004	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
2004	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
2004	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
1240	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
1240	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
1240	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
1240	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
4952	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
4952	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
4952	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
4952	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
4400	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
4400	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
4400	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
4400	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
3716	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
3716	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
3716	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
3716	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
1020	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
1020	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
1020	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
1020	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 4004	2424	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	81
PID 2424 wrote to memory of 4004	2424	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	81
PID 2424 wrote to memory of 4004	2424	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	81
PID 2424 wrote to memory of 2172	2424	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	82
PID 2424 wrote to memory of 2172	2424	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	82
PID 2424 wrote to memory of 2172	2424	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	82
PID 2424 wrote to memory of 1504	2424	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	84
PID 2424 wrote to memory of 1504	2424	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	84
PID 2424 wrote to memory of 1504	2424	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	84
PID 2424 wrote to memory of 1500	2424	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	86
PID 2424 wrote to memory of 1500	2424	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	86
PID 2424 wrote to memory of 1500	2424	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	86
PID 2424 wrote to memory of 1468	2424	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	91
PID 2424 wrote to memory of 1468	2424	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	91
PID 2424 wrote to memory of 1468	2424	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	91
PID 1504 wrote to memory of 2808	1504	cmd.exe	90
PID 1504 wrote to memory of 2808	1504	cmd.exe	90
PID 1504 wrote to memory of 2808	1504	cmd.exe	90
PID 2424 wrote to memory of 364	2424	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	87
PID 2424 wrote to memory of 364	2424	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	87
PID 2424 wrote to memory of 364	2424	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	87
PID 2808 wrote to memory of 4240	2808	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	93
PID 2808 wrote to memory of 4240	2808	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	93
PID 2808 wrote to memory of 4240	2808	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	93
PID 2808 wrote to memory of 5064	2808	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	95
PID 2808 wrote to memory of 5064	2808	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	95
PID 2808 wrote to memory of 5064	2808	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	95
PID 4240 wrote to memory of 4952	4240	cmd.exe	96
PID 4240 wrote to memory of 4952	4240	cmd.exe	96
PID 4240 wrote to memory of 4952	4240	cmd.exe	96
PID 2808 wrote to memory of 4140	2808	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	99
PID 2808 wrote to memory of 4140	2808	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	99
PID 2808 wrote to memory of 4140	2808	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	99
PID 2808 wrote to memory of 3832	2808	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	100
PID 2808 wrote to memory of 3832	2808	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	100
PID 2808 wrote to memory of 3832	2808	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	100
PID 2808 wrote to memory of 1112	2808	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	102
PID 2808 wrote to memory of 1112	2808	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	102
PID 2808 wrote to memory of 1112	2808	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	102
PID 4952 wrote to memory of 3064	4952	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	97
PID 4952 wrote to memory of 3064	4952	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	97
PID 4952 wrote to memory of 3064	4952	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	97
PID 4952 wrote to memory of 4424	4952	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	106
PID 4952 wrote to memory of 4424	4952	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	106
PID 4952 wrote to memory of 4424	4952	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	106
PID 4952 wrote to memory of 1272	4952	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	107
PID 4952 wrote to memory of 1272	4952	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	107
PID 4952 wrote to memory of 1272	4952	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	107
PID 4952 wrote to memory of 3604	4952	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	110
PID 4952 wrote to memory of 3604	4952	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	110
PID 4952 wrote to memory of 3604	4952	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	110
PID 4952 wrote to memory of 3096	4952	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	108
PID 4952 wrote to memory of 3096	4952	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	108
PID 4952 wrote to memory of 3096	4952	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	108
PID 3064 wrote to memory of 2020	3064	cmd.exe	114
PID 3064 wrote to memory of 2020	3064	cmd.exe	114
PID 3064 wrote to memory of 2020	3064	cmd.exe	114
PID 2020 wrote to memory of 4884	2020	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	115
PID 2020 wrote to memory of 4884	2020	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	115
PID 2020 wrote to memory of 4884	2020	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	115
PID 2020 wrote to memory of 5060	2020	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	116
PID 2020 wrote to memory of 5060	2020	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	116
PID 2020 wrote to memory of 5060	2020	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	116
PID 2020 wrote to memory of 1876	2020	8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe	117

C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
"C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\YQQAIkQo\dsAoosUE.exe
  "C:\Users\Admin\YQQAIkQo\dsAoosUE.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4004
- C:\ProgramData\tAQsIYQc\PasYMUkw.exe
  "C:\ProgramData\tAQsIYQc\PasYMUkw.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
    C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4240
    - - C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4952
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        8⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        10⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        12⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        14⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        16⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        18⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        20⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        22⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        24⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        26⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        28⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        30⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        32⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        33⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        34⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        35⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        36⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        37⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        38⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        39⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        40⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        41⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqUswAos.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        40⤵
        
        PID:364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIEwcgMY.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        38⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rasIsYow.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        36⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmcooMwY.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        34⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies registry key
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGAAMMgc.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        32⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IUYsYkAo.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        30⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGwwskkQ.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        28⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        Modifies registry key
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgYAgMIU.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        26⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oIAIEMEA.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        24⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEMUwgsg.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        22⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eosUUIkQ.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        20⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYgQAkgE.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        18⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGUYcgQE.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        16⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwgwwIws.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        14⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcMIYQsA.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        12⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIAAAogg.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        10⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\csgsoEYc.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        8⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2680
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:4424
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1272
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAQkQcAM.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        6⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3396
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:3604
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:5064
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4140
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MuwkUgks.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
      4⤵
      PID:1112
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3200
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1500
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:364
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1468

C:\ProgramData\SGQMEgIk\ggUwYkoc.exe
C:\ProgramData\SGQMEgIk\ggUwYkoc.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
1⤵
PID:3132
- C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
  C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
  2⤵
  PID:3812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
    3⤵
    PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
      C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
      4⤵
      PID:5096
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        5⤵
        
        PID:5000
      - C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        6⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        7⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        8⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        9⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        10⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        11⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        12⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        13⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        14⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        15⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        16⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        17⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        18⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        19⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        20⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        21⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        22⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        23⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        24⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        25⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        26⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        27⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        28⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        29⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        30⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        31⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        32⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        33⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        34⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        35⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        36⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        37⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        38⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        39⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        40⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        41⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        42⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        43⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        44⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        45⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        46⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        47⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        48⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        49⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        50⤵
        
        PID:424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        51⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        52⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        53⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        54⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        55⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        56⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        57⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        58⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        59⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        60⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        61⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        62⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        63⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        64⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        65⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        66⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        67⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        68⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        69⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        70⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        71⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        72⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        73⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        74⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        75⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        76⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        77⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        78⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        79⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        80⤵
        
        PID:240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        81⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        82⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        83⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        84⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        85⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        86⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        87⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        88⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        89⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        90⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        91⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        92⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        93⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        94⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        95⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        96⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        97⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        98⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        99⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        100⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        101⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        102⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        103⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        104⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        105⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        106⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        107⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        108⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        109⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        110⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        111⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        112⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        113⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        114⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        115⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        116⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        117⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        118⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        119⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        120⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        121⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        122⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        123⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        124⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        125⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        126⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        127⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        128⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        129⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        130⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        131⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        132⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        133⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        134⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        135⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        136⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        137⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        138⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        139⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        140⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        141⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        142⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        143⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        144⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        145⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        146⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        147⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        148⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        149⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        150⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        151⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        152⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        153⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        154⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        155⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        156⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        157⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        158⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        159⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        160⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        161⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        162⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        163⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        164⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        165⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        166⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        167⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        168⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        169⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        170⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        171⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        172⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        173⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        174⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        175⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        176⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        177⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        178⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        179⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        180⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        181⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        182⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        183⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        184⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        185⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        186⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        187⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        188⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        189⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        190⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        191⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        192⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        193⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        194⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        195⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        196⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        197⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        198⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        199⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        200⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        201⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        202⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        203⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        204⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        205⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        206⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        207⤵
        
        PID:260
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        208⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        209⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        210⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        211⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        212⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        213⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        214⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9"
        215⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe
        
        C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9
        216⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKwQAUwI.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        215⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        216⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        215⤵
        UAC bypass
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        215⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        215⤵
        Modifies registry key
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYAgIokk.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        213⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        214⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        213⤵
        UAC bypass
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        213⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        213⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsgowgMg.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        211⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        212⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        211⤵
        UAC bypass
        Modifies registry key
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        211⤵
        Modifies registry key
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        211⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WYEoEAAc.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        209⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        210⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        209⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        209⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        209⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqsgsoMA.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        207⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        208⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        207⤵
        UAC bypass
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        207⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        207⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KskkIwwA.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        205⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        206⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        205⤵
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        205⤵
        Modifies registry key
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        205⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYkAwMME.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        203⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        204⤵
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        203⤵
        UAC bypass
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        203⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        203⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSgkQYIc.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        201⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        202⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        201⤵
        UAC bypass
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        201⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        201⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        199⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        199⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIEEEkYM.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        199⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        200⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        199⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkkkcMco.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        197⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        198⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        197⤵
        UAC bypass
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        197⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        197⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        195⤵
        Modifies registry key
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        195⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FukgYMMY.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        195⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        196⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        195⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        193⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        193⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        193⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DacQEsoo.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        193⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        194⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        191⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        191⤵
        Modifies registry key
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kWQoQkgo.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        191⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        192⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        191⤵
        
        PID:3808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XywMUYIU.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        189⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        190⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        189⤵
        
        PID:204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        189⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        189⤵
        Modifies visibility of file extensions in Explorer
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUEIgYEI.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        187⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        188⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        187⤵
        UAC bypass
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        187⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        187⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCIAssgg.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        185⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        186⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        185⤵
        Modifies registry key
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        185⤵
        Modifies registry key
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        185⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSQwUYcM.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        183⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        184⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        183⤵
        UAC bypass
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        183⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        183⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmkQMYkQ.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        181⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        182⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        181⤵
        UAC bypass
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        181⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        181⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIIAkkkA.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        179⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        180⤵
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        179⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        179⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        179⤵
        Modifies visibility of file extensions in Explorer
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        177⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LoEcAIAk.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        177⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        178⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        177⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        177⤵
        Modifies visibility of file extensions in Explorer
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UoswMgEk.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        175⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        176⤵
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        175⤵
        UAC bypass
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        175⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        175⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        173⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOYMYEUg.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        173⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        174⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        173⤵
        UAC bypass
        Modifies registry key
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        173⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\riwYsMMM.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        171⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        172⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        171⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        171⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        171⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        169⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkooQUkk.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        169⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        170⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        169⤵
        Modifies registry key
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        169⤵
        Modifies registry key
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWUgYQkY.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        167⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        168⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        167⤵
        UAC bypass
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        167⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        167⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAIIsQME.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        165⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        166⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        165⤵
        UAC bypass
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        165⤵
        Modifies registry key
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        165⤵
        Modifies registry key
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gckYwsIM.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        163⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        164⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        163⤵
        UAC bypass
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        163⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        163⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QoQsYsQQ.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        161⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        162⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        161⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        161⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        161⤵
        Modifies registry key
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\huUAMQIg.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        159⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        160⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        159⤵
        UAC bypass
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        159⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        159⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMIAoAUE.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        157⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        158⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        157⤵
        UAC bypass
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        157⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        157⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asEIgEkQ.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        155⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        156⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        155⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        155⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        155⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwcMcEwk.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        153⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        154⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        153⤵
        UAC bypass
        Modifies registry key
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        153⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        153⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Pakgowgg.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        151⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        152⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        151⤵
        UAC bypass
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        151⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        151⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        149⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        149⤵
        Modifies registry key
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeMosYUw.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        149⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        150⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        149⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEoEAUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        147⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        148⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        147⤵
        UAC bypass
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        147⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        147⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        145⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        145⤵
        Modifies registry key
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        145⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImsskccA.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        145⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        146⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        143⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWMIokIU.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        143⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        144⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        143⤵
        UAC bypass
        Modifies registry key
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        143⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEEMAock.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        141⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        142⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        141⤵
        UAC bypass
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        141⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        141⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikgoskUg.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        139⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        140⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        139⤵
        UAC bypass
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        139⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        139⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WckwwcIk.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        137⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        138⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        137⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        137⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        137⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgoQYkoc.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        135⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        136⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        135⤵
        UAC bypass
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        135⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        135⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUsYwoQo.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        133⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        134⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        133⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        133⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        133⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeAgcEMw.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        131⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        132⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        131⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        131⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        131⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aicYcocY.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        129⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        130⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        129⤵
        UAC bypass
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        129⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        129⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSAAkcIg.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        127⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        128⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        127⤵
        Modifies registry key
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        127⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        127⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQcgwMwk.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        125⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        126⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        125⤵
        UAC bypass
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        125⤵
        Modifies registry key
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        125⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        123⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        123⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        123⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkoAkYQw.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        123⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        124⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        121⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSgIEQEo.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        121⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        122⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        121⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        121⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        119⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmgkYMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        119⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        120⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        119⤵
        UAC bypass
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        119⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUwAYkgU.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        117⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        118⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        117⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        117⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        117⤵
        Modifies registry key
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LggMUkMc.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        115⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        116⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        115⤵
        UAC bypass
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        115⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        115⤵
        Modifies registry key
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        113⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NiksUUkg.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        113⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        114⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        113⤵
        UAC bypass
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        113⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        111⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYocIQEg.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        111⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        112⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        111⤵
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        111⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsAAUQcs.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        109⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        110⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        109⤵
        UAC bypass
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        109⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        109⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        107⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyQYgQoE.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        107⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        108⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        107⤵
        UAC bypass
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        107⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        105⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        105⤵
        UAC bypass
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        105⤵
        Modifies registry key
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAMUQcYQ.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        105⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        106⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        103⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        103⤵
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        103⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQAUEIoo.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        103⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        104⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUwowAIk.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        101⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        102⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        101⤵
        UAC bypass
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        101⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        101⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYgQoMgY.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        99⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        100⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        99⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        99⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        99⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XewUEsQs.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        97⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        98⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        97⤵
        UAC bypass
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        97⤵
        
        PID:616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        97⤵
        Modifies visibility of file extensions in Explorer
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmckQowc.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        95⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        96⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        95⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        95⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        95⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        93⤵
        UAC bypass
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUwMssMs.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        93⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        94⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        93⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        93⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        91⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmMwIcgM.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        91⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        92⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        91⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        91⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        89⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        89⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        89⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUUAMsws.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        89⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        90⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGAUcIcA.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        87⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        88⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        87⤵
        UAC bypass
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        87⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        87⤵
        Modifies registry key
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOEAYYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        85⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        86⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        85⤵
        UAC bypass
        Modifies registry key
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        85⤵
        Modifies registry key
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        85⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCIYcAEU.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        83⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        84⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        83⤵
        UAC bypass
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        83⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        83⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGYUIwkY.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        81⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        82⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        81⤵
        UAC bypass
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        81⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        81⤵
        Modifies registry key
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McUAgAMs.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        79⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        80⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        79⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        79⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        79⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgkAIggk.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        77⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        78⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        77⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        77⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        77⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIooswEA.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        75⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        76⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        75⤵
        UAC bypass
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        75⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        75⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BoAgoYQc.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        73⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        74⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        73⤵
        UAC bypass
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        73⤵
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        73⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        71⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        71⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        71⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmMsoscQ.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        71⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        72⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CswkEYoo.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        69⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        70⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        69⤵
        UAC bypass
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        69⤵
        Modifies registry key
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        69⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        67⤵
        UAC bypass
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKkcEcoc.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        67⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        68⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        67⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        67⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yMIUAQIE.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        65⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        66⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        65⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        65⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        65⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ruEgkQkM.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        63⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        64⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        63⤵
        UAC bypass
        Modifies registry key
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        63⤵
        Modifies registry key
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        63⤵
        Modifies registry key
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noUoQAks.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        61⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        62⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        61⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        61⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        61⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCQEEcAI.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        59⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        60⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        59⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        59⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        59⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zUcYkMwg.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        57⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        58⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        57⤵
        UAC bypass
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        57⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        57⤵
        Modifies visibility of file extensions in Explorer
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOwkwEEA.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        55⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        56⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        55⤵
        Modifies registry key
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        55⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        55⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMQcAgko.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        53⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        54⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        53⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        53⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        53⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QekIcwww.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        51⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        52⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        51⤵
        UAC bypass
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        51⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        51⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fEQgoAQs.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        49⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        50⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        49⤵
        UAC bypass
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        49⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        49⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        47⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        47⤵
        Modifies registry key
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WeAIIkog.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        47⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        48⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        47⤵
        UAC bypass
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        45⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        45⤵
        Modifies registry key
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        45⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMsIQkIA.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        45⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        46⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        43⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        43⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGsEEkkY.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        43⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        44⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        43⤵
        UAC bypass
        Modifies registry key
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        41⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        41⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        41⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUEAooQU.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        41⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        42⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        39⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        39⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        39⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NoccQEAE.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        39⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        40⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        37⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqEYEUMo.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        37⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        38⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        37⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        37⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        35⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bggMIQIk.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        35⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        36⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        35⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        35⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        33⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WickoUMI.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        33⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        34⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        33⤵
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        33⤵
        Modifies registry key
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        31⤵
        Modifies registry key
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        31⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        31⤵
        UAC bypass
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EcYQAYYQ.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        31⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        32⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        29⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        29⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        29⤵
        UAC bypass
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tEAwcAMo.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        29⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        30⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        27⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        27⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oeYokcUE.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        27⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        28⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        27⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        25⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        25⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        25⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgEMscAM.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        25⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        26⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        23⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        23⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        23⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCkksEQU.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        23⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        24⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        21⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        21⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        21⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGscwwUY.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        21⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        22⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        19⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        19⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        19⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twMggYAM.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        19⤵
        
        PID:260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        20⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        17⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        17⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQMgoAMs.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        17⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        18⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        17⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pcUcocUg.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        15⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        UAC bypass
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUYEEgYs.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        13⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        
        PID:2108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYYsMEwg.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        11⤵
        
        PID:240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        Modifies registry key
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YuIkowYU.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        9⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        UAC bypass
        Modifies registry key
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        Modifies registry key
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qAcogMkM.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        7⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:4984
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1784
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4980
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:1560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiwgcoIo.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
        5⤵
        
        PID:2896
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:1260
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmAAwssE.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
    3⤵
    PID:396
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:320
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ziMcMckA.bat" "C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9.exe""
1⤵
PID:1896
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SGQMEgIk\ggUwYkoc.exe

Filesize
479KB

MD5
57b867355ac2c14b17fefa8d43b43353

SHA1
37ca61629d6d12f8470f8a2518eb7c3b13b76eb0

SHA256
9e710991562b4530fbed77fc92efc9c65d7ccef47372e199f4c07e57a6096731

SHA512
5840e4d66607da57aa03cfad6ea1bf3208dc5cb780ba693d772f3bee3e9514e8c7c406b0cde56445de5aade87ff4c8f886995a2465f09c296bff2611547e78c6

Download Submit
C:\ProgramData\SGQMEgIk\ggUwYkoc.exe

Filesize
479KB

MD5
57b867355ac2c14b17fefa8d43b43353

SHA1
37ca61629d6d12f8470f8a2518eb7c3b13b76eb0

SHA256
9e710991562b4530fbed77fc92efc9c65d7ccef47372e199f4c07e57a6096731

SHA512
5840e4d66607da57aa03cfad6ea1bf3208dc5cb780ba693d772f3bee3e9514e8c7c406b0cde56445de5aade87ff4c8f886995a2465f09c296bff2611547e78c6

Download Submit
C:\ProgramData\tAQsIYQc\PasYMUkw.exe

Filesize
480KB

MD5
bdbd8ee44e84322fe9ce8e39b28de166

SHA1
b3fc78e3779f1834173470881f4294aa3511ba93

SHA256
86d80233659b94324859ccf24467815d8c44bdbe9542ae5edce79ad1311ec747

SHA512
45a8a7925a06bd81b72979e81cd2050106597d3c81ce6ea2fc49b3109ad4210ebac245a486bd79b3c88a28e237ee2001dc9280a6914e38e2d39b2c4584f5cdbe

Download Submit
C:\ProgramData\tAQsIYQc\PasYMUkw.exe

Filesize
480KB

MD5
bdbd8ee44e84322fe9ce8e39b28de166

SHA1
b3fc78e3779f1834173470881f4294aa3511ba93

SHA256
86d80233659b94324859ccf24467815d8c44bdbe9542ae5edce79ad1311ec747

SHA512
45a8a7925a06bd81b72979e81cd2050106597d3c81ce6ea2fc49b3109ad4210ebac245a486bd79b3c88a28e237ee2001dc9280a6914e38e2d39b2c4584f5cdbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ae0a56fdf894c66cb7dcc25d4eac377acb4d32c8b4c936605d5d0c541a608c9

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\CGUYcgQE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYgQAkgE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUYsYkAo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MuwkUgks.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEMUwgsg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcMIYQsA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqUswAos.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RmcooMwY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TAQkQcAM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\bIAAAogg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\csgsoEYc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIEwcgMY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgYAgMIU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eosUUIkQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lGAAMMgc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIAIEMEA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rasIsYow.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\sGwwskkQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwgwwIws.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ziMcMckA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\YQQAIkQo\dsAoosUE.exe

Filesize
480KB

MD5
e1e8444c023985867b4f7c748749f2ff

SHA1
edf8142f8cf157a31baa050c17aa449beac82822

SHA256
6896c5b4916df860e582fa291d29429a6e297e31194b1cddf5fb63eed7d9167c

SHA512
fbc818dba819bfb7badfd260c6587ece790385bc19639c38fa489592e3515cfef1417130fa87367caac490de17b02b6a33fcc1461a9b4ab21ee0086e4ccfb12c

Download Submit
C:\Users\Admin\YQQAIkQo\dsAoosUE.exe

Filesize
480KB

MD5
e1e8444c023985867b4f7c748749f2ff

SHA1
edf8142f8cf157a31baa050c17aa449beac82822

SHA256
6896c5b4916df860e582fa291d29429a6e297e31194b1cddf5fb63eed7d9167c

SHA512
fbc818dba819bfb7badfd260c6587ece790385bc19639c38fa489592e3515cfef1417130fa87367caac490de17b02b6a33fcc1461a9b4ab21ee0086e4ccfb12c

Download Submit
memory/208-217-0x0000000000000000-mapping.dmp

Download
memory/364-148-0x0000000000000000-mapping.dmp

Download
memory/520-202-0x0000000000000000-mapping.dmp

Download
memory/672-239-0x0000000000000000-mapping.dmp

Download
memory/856-225-0x0000000000000000-mapping.dmp

Download
memory/996-312-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1004-224-0x0000000000000000-mapping.dmp

Download
memory/1020-272-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1048-189-0x0000000000000000-mapping.dmp

Download
memory/1092-200-0x0000000000000000-mapping.dmp

Download
memory/1112-162-0x0000000000000000-mapping.dmp

Download
memory/1240-254-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1272-165-0x0000000000000000-mapping.dmp

Download
memory/1296-305-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1296-304-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1468-146-0x0000000000000000-mapping.dmp

Download
memory/1468-246-0x0000000000000000-mapping.dmp

Download
memory/1500-145-0x0000000000000000-mapping.dmp

Download
memory/1504-144-0x0000000000000000-mapping.dmp

Download
memory/1520-228-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1520-301-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1520-218-0x0000000000000000-mapping.dmp

Download
memory/1520-300-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1560-232-0x0000000000000000-mapping.dmp

Download
memory/1632-243-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1632-248-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1632-242-0x0000000000000000-mapping.dmp

Download
memory/1652-204-0x0000000000000000-mapping.dmp

Download
memory/1720-236-0x0000000000000000-mapping.dmp

Download
memory/1772-188-0x0000000000000000-mapping.dmp

Download
memory/1772-206-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1876-178-0x0000000000000000-mapping.dmp

Download
memory/2004-251-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2004-247-0x0000000000000000-mapping.dmp

Download
memory/2020-170-0x0000000000000000-mapping.dmp

Download
memory/2020-171-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2020-181-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2148-237-0x0000000000000000-mapping.dmp

Download
memory/2172-136-0x0000000000000000-mapping.dmp

Download
memory/2172-140-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2172-154-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2180-184-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2180-193-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2180-182-0x0000000000000000-mapping.dmp

Download
memory/2324-158-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2324-143-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2384-319-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2384-318-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2424-132-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2424-152-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2440-309-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2440-308-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2448-276-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2452-285-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2520-180-0x0000000000000000-mapping.dmp

Download
memory/2616-211-0x0000000000000000-mapping.dmp

Download
memory/2680-179-0x0000000000000000-mapping.dmp

Download
memory/2728-316-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2740-306-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2760-320-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2796-199-0x0000000000000000-mapping.dmp

Download
memory/2808-168-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2808-147-0x0000000000000000-mapping.dmp

Download
memory/2808-151-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2940-210-0x0000000000000000-mapping.dmp

Download
memory/2992-314-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2992-315-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3064-163-0x0000000000000000-mapping.dmp

Download
memory/3092-221-0x0000000000000000-mapping.dmp

Download
memory/3096-167-0x0000000000000000-mapping.dmp

Download
memory/3180-310-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3180-311-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3200-203-0x0000000000000000-mapping.dmp

Download
memory/3312-212-0x0000000000000000-mapping.dmp

Download
memory/3396-207-0x0000000000000000-mapping.dmp

Download
memory/3428-190-0x0000000000000000-mapping.dmp

Download
memory/3432-209-0x0000000000000000-mapping.dmp

Download
memory/3604-166-0x0000000000000000-mapping.dmp

Download
memory/3716-267-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3716-268-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3720-240-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3720-230-0x0000000000000000-mapping.dmp

Download
memory/3720-233-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3812-298-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3824-294-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3824-290-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3832-161-0x0000000000000000-mapping.dmp

Download
memory/3836-198-0x0000000000000000-mapping.dmp

Download
memory/3836-214-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3848-213-0x0000000000000000-mapping.dmp

Download
memory/4004-153-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4004-133-0x0000000000000000-mapping.dmp

Download
memory/4004-139-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4140-160-0x0000000000000000-mapping.dmp

Download
memory/4168-192-0x0000000000000000-mapping.dmp

Download
memory/4176-307-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4204-321-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4236-302-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4240-150-0x0000000000000000-mapping.dmp

Download
memory/4320-313-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4336-303-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4400-263-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4424-164-0x0000000000000000-mapping.dmp

Download
memory/4480-235-0x0000000000000000-mapping.dmp

Download
memory/4484-205-0x0000000000000000-mapping.dmp

Download
memory/4484-289-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4488-226-0x0000000000000000-mapping.dmp

Download
memory/4516-201-0x0000000000000000-mapping.dmp

Download
memory/4520-197-0x0000000000000000-mapping.dmp

Download
memory/4628-238-0x0000000000000000-mapping.dmp

Download
memory/4720-187-0x0000000000000000-mapping.dmp

Download
memory/4800-191-0x0000000000000000-mapping.dmp

Download
memory/4884-175-0x0000000000000000-mapping.dmp

Download
memory/4952-156-0x0000000000000000-mapping.dmp

Download
memory/4952-159-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4952-255-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4952-257-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4952-169-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5036-227-0x0000000000000000-mapping.dmp

Download
memory/5040-323-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5040-322-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5040-223-0x0000000000000000-mapping.dmp

Download
memory/5060-317-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5060-177-0x0000000000000000-mapping.dmp

Download
memory/5064-155-0x0000000000000000-mapping.dmp

Download
memory/5096-299-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5112-280-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5112-277-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download