e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b

Analysis

max time kernel
173s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2022 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
Size

441KB
MD5

a226c77d2b343db7a9392546cf3c48a0
SHA1

7e53b73687387cdd19da6eedefca47a96f08ee02
SHA256

e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
SHA512

b6f1116d0ee017c62f24103400c666d6b29de387f0c4deb89fa6261a304d72860500571f12908ba80b3376b95abd1ea609cfc5dff71b507b251d0be958e3be88
SSDEEP

6144:YXbd9dRDfQlgJKN28ThdR58CdTTfBG7Bf5K3VSGdA0q8ZHb5DBXr2HA+o8mKEq:YXx9qomhWylVpdA0nV1BX4notKEq

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2128	ACsMgMMY.exe
740	qiosUwIA.exe
540	EAUMAwQo.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	qiosUwIA.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qiosUwIA.exe = "C:\\ProgramData\\DKEMUIIU\\qiosUwIA.exe"	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACsMgMMY.exe = "C:\\Users\\Admin\\mqwkocQg\\ACsMgMMY.exe"	ACsMgMMY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qiosUwIA.exe = "C:\\ProgramData\\DKEMUIIU\\qiosUwIA.exe"	qiosUwIA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qiosUwIA.exe = "C:\\ProgramData\\DKEMUIIU\\qiosUwIA.exe"	EAUMAwQo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACsMgMMY.exe = "C:\\Users\\Admin\\mqwkocQg\\ACsMgMMY.exe"	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sheFormatReceive.docx	qiosUwIA.exe
File opened for modification	C:\Windows\SysWOW64\sheResetSearch.zip	qiosUwIA.exe
File opened for modification	C:\Windows\SysWOW64\sheSplitJoin.bmp	qiosUwIA.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\mqwkocQg	EAUMAwQo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\mqwkocQg\ACsMgMMY	EAUMAwQo.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	qiosUwIA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
816	reg.exe
3392	reg.exe
4380	reg.exe
340	reg.exe
4780	reg.exe
4136	reg.exe
2032	reg.exe
1272	reg.exe
1540	reg.exe
4644	reg.exe
3476	reg.exe
4084	reg.exe
1764	reg.exe
2408	reg.exe
2344	reg.exe
1720	reg.exe
2176	reg.exe
996	reg.exe
4672	reg.exe
3736	reg.exe
4208	reg.exe
4940	reg.exe
4320	reg.exe
4464	reg.exe
3332	reg.exe
1988	reg.exe
4460	reg.exe
376	reg.exe
2132	reg.exe
2768	reg.exe
2828	reg.exe
3596	reg.exe
1132	reg.exe
3120	reg.exe
4948	reg.exe
5004	reg.exe
1048	reg.exe
2344	reg.exe
2104	reg.exe
4896	reg.exe
3896	reg.exe
1992	reg.exe
4000	reg.exe
4212	reg.exe
3940	reg.exe
4568	reg.exe
4832	reg.exe
4988	reg.exe
4248	reg.exe
5088	reg.exe
5008	reg.exe
2904	reg.exe
2924	reg.exe
5012	reg.exe
4084	reg.exe
2904	reg.exe
4040	reg.exe
4912	reg.exe
4460	reg.exe
5100	reg.exe
1384	reg.exe
4548	reg.exe
3888	reg.exe
4596	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3452	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
3452	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
3452	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
3452	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
4016	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
4016	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
4016	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
4016	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
1600	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
1600	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
1600	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
1600	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
4480	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
4480	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
4480	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
4480	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
708	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
708	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
708	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
708	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
5104	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
5104	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
5104	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
5104	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
1116	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
1116	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
1116	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
1116	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
2040	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
2040	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
2040	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
2040	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
1220	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
1220	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
1220	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
1220	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
1656	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
1656	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
1656	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
1656	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
4048	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
4048	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
4048	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
4048	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
4212	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
4212	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
4212	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
4212	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
2888	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
2888	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
2888	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
2888	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
1860	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
1860	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
1860	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
1860	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
1100	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
1100	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
1100	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
1100	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
204	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
204	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
204	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
204	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
740	qiosUwIA.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe
740	qiosUwIA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 2128	3452	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	79
PID 3452 wrote to memory of 2128	3452	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	79
PID 3452 wrote to memory of 2128	3452	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	79
PID 3452 wrote to memory of 740	3452	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	80
PID 3452 wrote to memory of 740	3452	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	80
PID 3452 wrote to memory of 740	3452	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	80
PID 3452 wrote to memory of 2336	3452	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	82
PID 3452 wrote to memory of 2336	3452	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	82
PID 3452 wrote to memory of 2336	3452	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	82
PID 2336 wrote to memory of 4016	2336	cmd.exe	84
PID 2336 wrote to memory of 4016	2336	cmd.exe	84
PID 2336 wrote to memory of 4016	2336	cmd.exe	84
PID 3452 wrote to memory of 5028	3452	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	85
PID 3452 wrote to memory of 5028	3452	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	85
PID 3452 wrote to memory of 5028	3452	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	85
PID 3452 wrote to memory of 5036	3452	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	89
PID 3452 wrote to memory of 5036	3452	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	89
PID 3452 wrote to memory of 5036	3452	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	89
PID 3452 wrote to memory of 4984	3452	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	87
PID 3452 wrote to memory of 4984	3452	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	87
PID 3452 wrote to memory of 4984	3452	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	87
PID 4016 wrote to memory of 1932	4016	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	91
PID 4016 wrote to memory of 1932	4016	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	91
PID 4016 wrote to memory of 1932	4016	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	91
PID 1932 wrote to memory of 1600	1932	cmd.exe	93
PID 1932 wrote to memory of 1600	1932	cmd.exe	93
PID 1932 wrote to memory of 1600	1932	cmd.exe	93
PID 4016 wrote to memory of 1744	4016	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	94
PID 4016 wrote to memory of 1744	4016	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	94
PID 4016 wrote to memory of 1744	4016	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	94
PID 4016 wrote to memory of 1800	4016	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	96
PID 4016 wrote to memory of 1800	4016	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	96
PID 4016 wrote to memory of 1800	4016	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	96
PID 4016 wrote to memory of 2224	4016	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	101
PID 4016 wrote to memory of 2224	4016	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	101
PID 4016 wrote to memory of 2224	4016	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	101
PID 4016 wrote to memory of 3000	4016	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	98
PID 4016 wrote to memory of 3000	4016	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	98
PID 4016 wrote to memory of 3000	4016	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	98
PID 1600 wrote to memory of 4028	1600	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	102
PID 1600 wrote to memory of 4028	1600	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	102
PID 1600 wrote to memory of 4028	1600	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	102
PID 3000 wrote to memory of 3896	3000	cmd.exe	104
PID 3000 wrote to memory of 3896	3000	cmd.exe	104
PID 3000 wrote to memory of 3896	3000	cmd.exe	104
PID 4028 wrote to memory of 4480	4028	cmd.exe	105
PID 4028 wrote to memory of 4480	4028	cmd.exe	105
PID 4028 wrote to memory of 4480	4028	cmd.exe	105
PID 1600 wrote to memory of 4812	1600	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	106
PID 1600 wrote to memory of 4812	1600	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	106
PID 1600 wrote to memory of 4812	1600	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	106
PID 1600 wrote to memory of 4856	1600	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	107
PID 1600 wrote to memory of 4856	1600	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	107
PID 1600 wrote to memory of 4856	1600	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	107
PID 1600 wrote to memory of 3760	1600	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	108
PID 1600 wrote to memory of 3760	1600	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	108
PID 1600 wrote to memory of 3760	1600	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	108
PID 1600 wrote to memory of 3672	1600	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	110
PID 1600 wrote to memory of 3672	1600	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	110
PID 1600 wrote to memory of 3672	1600	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	110
PID 3672 wrote to memory of 3796	3672	cmd.exe	114
PID 3672 wrote to memory of 3796	3672	cmd.exe	114
PID 3672 wrote to memory of 3796	3672	cmd.exe	114
PID 4480 wrote to memory of 1224	4480	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe	115

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe

C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
"C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Users\Admin\mqwkocQg\ACsMgMMY.exe
  "C:\Users\Admin\mqwkocQg\ACsMgMMY.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2128
- C:\ProgramData\DKEMUIIU\qiosUwIA.exe
  "C:\ProgramData\DKEMUIIU\qiosUwIA.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
    C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1932
    - - C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1600
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        8⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        10⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        12⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        14⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        16⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        18⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        20⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        22⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        24⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        26⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        28⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        30⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        32⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        33⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        34⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        35⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        36⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        37⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        38⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        39⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        40⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        41⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        42⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        43⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        44⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        45⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        46⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        47⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        48⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        49⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        50⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        51⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        52⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies registry key
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MuoocQII.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        52⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIAEMwso.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        50⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUQgQIUs.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        48⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EowQIEoE.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        46⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsEsMcow.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        44⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWsccMcg.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        42⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuAMcoAY.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        40⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zuogksQk.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        38⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQgYkscA.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        36⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies registry key
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuAUUckk.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        34⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcAEUgkY.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        32⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGIEwUcY.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        30⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkYQMskg.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        28⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        Modifies registry key
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies registry key
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        27⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        28⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        29⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        30⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        31⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        32⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        33⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        34⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        35⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        36⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        37⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        38⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        39⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        40⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        41⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        42⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        43⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        44⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        45⤵
        
        PID:340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        46⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        47⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        48⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        49⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        50⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        51⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        52⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        53⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        54⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        55⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        56⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        57⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        58⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        59⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        60⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        61⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        62⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        63⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        64⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        65⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        66⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        67⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        68⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        69⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        70⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        71⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        72⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        73⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        74⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        75⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        76⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        77⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        78⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        79⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        80⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        81⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        82⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        83⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        84⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        85⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        86⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        87⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        88⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        89⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        90⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        91⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        92⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        93⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        94⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        95⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        96⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        97⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        98⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        99⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        100⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        101⤵
        
        PID:728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        102⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        103⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        104⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        105⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        106⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        107⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        108⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        109⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        110⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        111⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        112⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        113⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        114⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        115⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        116⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        117⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        118⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        119⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        120⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        121⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        122⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        123⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        124⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        125⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        126⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        127⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        128⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        129⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        130⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        131⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        132⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        133⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        134⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        135⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        136⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        137⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        138⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        139⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        140⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        141⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        142⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        143⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        144⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        145⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        146⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        147⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        148⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        149⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        150⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        151⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        152⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        153⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        154⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        155⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        156⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        157⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        158⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        159⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        160⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        161⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        162⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        163⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        164⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        165⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        166⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        167⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        168⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        169⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        170⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        171⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        172⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        173⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        174⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        175⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        176⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        177⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        178⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        179⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        180⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        181⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        182⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        183⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        184⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        185⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        186⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        187⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        188⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        189⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        190⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        191⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        192⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        193⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        194⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        195⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        196⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        197⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        198⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        199⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        200⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        201⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        202⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        203⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        204⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        205⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        206⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        207⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        208⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        209⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        210⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        211⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        212⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        213⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        214⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        215⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        216⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        217⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        218⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        219⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        220⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        221⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        222⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        223⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        224⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        225⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        226⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        227⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        228⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        229⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        230⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        231⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b"
        232⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe
        
        C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b
        233⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies registry key
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSEwEgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        232⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        Modifies registry key
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwkssMII.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        230⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xigAkooI.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        228⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AoUIccck.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        226⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMcYsoco.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        224⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OqAIwMAo.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        222⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        Modifies registry key
        
        PID:340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYEYQwwA.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        220⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKokcEok.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        218⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BKQAwUMw.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        216⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        Modifies registry key
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GoMgoMUI.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        214⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZWsgMgUQ.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        212⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FioUQUEs.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        210⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWIwMogQ.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        208⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        Modifies registry key
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOQsMQII.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        206⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fisUYsgg.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        204⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEQoAUgw.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        202⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOwoEkwA.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        200⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOcckcgo.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        198⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syMQUgQg.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        196⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAYwcMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        194⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOoEIYgY.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        192⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmMsgMoo.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        190⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        Modifies registry key
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tSkMgQkI.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        188⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies registry key
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMEgEYMI.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        186⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQMEgAkc.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        184⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YwcQQcYM.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        182⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIQIoYYI.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        180⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKcgAQwo.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        178⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:1384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        UAC bypass
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vQsckUQg.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        176⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIwcUosM.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        174⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSwQokYc.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        172⤵
        
        PID:3724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuYUkAwI.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        170⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:4316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        Modifies registry key
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWsUYoQw.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        168⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSsssUIQ.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        166⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKkcYcco.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        164⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        Modifies registry key
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQIcEQAU.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        162⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        Modifies registry key
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWAEQkQQ.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        160⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:3428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCYUcQEY.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        158⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies registry key
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGQgsgsQ.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        156⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAUcoIgE.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        154⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\peYwocYc.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        152⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CSMEkkcw.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        150⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DyIwcYMY.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        148⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYQUQIEY.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        146⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies registry key
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\huAIIQMM.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        144⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaUMMwIE.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        142⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NccQEkUs.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        140⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        Modifies registry key
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycogAAgI.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        138⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        Modifies registry key
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYsIwAQQ.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        136⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgQgcocA.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        134⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        Modifies registry key
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIMAEkcM.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        132⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqYEkswU.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        130⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        Modifies registry key
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ziAEoYAA.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        128⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKQwIwAg.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        126⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        Modifies registry key
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        Modifies registry key
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUgUIgMM.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        124⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqcgkEME.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        122⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmMQIIow.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        120⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAgQcscA.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        118⤵
        
        PID:616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwkMYcwI.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        116⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUgEQgQI.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        114⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        Modifies registry key
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwEQcwsw.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        112⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XoIgYAgs.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        110⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        Modifies registry key
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUwgEEIg.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        108⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\usEIsAsY.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        106⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        Modifies registry key
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WscswIMM.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        104⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rykooQUA.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        102⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KccEEcMY.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        100⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmgAMUoY.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        98⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkYYMkMc.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        96⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAQcQEMM.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        94⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xoMAYoIk.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        92⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IgckYIEY.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        90⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\duAgQEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        88⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies registry key
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\raoMIoAo.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        86⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOcgUQAo.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        84⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        Modifies registry key
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amcAAgIc.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        82⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        Modifies registry key
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukscAoks.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        80⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies registry key
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMsEAQMw.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        78⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOskskQQ.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        76⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESgQUMww.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        74⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kaoQQsUc.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        72⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEggQogY.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        70⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMkAQEMI.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        68⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        Modifies registry key
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\miQUgAYE.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        66⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgAwwcIY.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        64⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKoYMkoM.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        62⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZyoYckco.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        60⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tsgEMcoM.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        58⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUwYAkog.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        56⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAMYoskM.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        54⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgoIYcsk.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        52⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUEkscco.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        50⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWEcUIYU.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        48⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMAccwUc.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        46⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saMksgko.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        44⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmkEYkcs.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        42⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        Modifies registry key
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWMgIscw.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        40⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YcIIAsEI.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        38⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuIsgkwg.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        36⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOsskoUc.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        34⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        Modifies registry key
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fCggMcAQ.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        32⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAAcIYsw.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        30⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jeoccYcU.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        28⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies registry key
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AgoUgcEw.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        26⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUsQsIEQ.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        24⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uiUkUUUw.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        22⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ioMMYkMw.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        20⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies registry key
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEcAMwYI.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        18⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        Modifies registry key
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SccgogUI.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        16⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIksYckM.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        14⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMQAUUso.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        12⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pekYUcgU.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        10⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ooUkUAQA.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        8⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3736
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:4812
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4856
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:3760
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICwAwEEk.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3796
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1744
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noMUcQww.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3000
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3896
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2224
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:5028
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4984
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NyQcoIoo.bat" "C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b.exe""
  2⤵
  PID:1356
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2472

C:\ProgramData\zUQYgkIU\EAUMAwQo.exe
C:\ProgramData\zUQYgkIU\EAUMAwQo.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DKEMUIIU\qiosUwIA.exe

Filesize
429KB

MD5
2a31d5f49d1c33f9b4d567479a91d735

SHA1
a69369645ed56d086b02067db7c3ce2374d8489e

SHA256
af8f0afbaf16059ad653d543e6dff13c0d3342e584201cf288f3fc4bdc9895eb

SHA512
f4dacadb9da233f0355e1bd65dbf028e664684ad99482b3cf4282d637f31a48dc0763e18dc5c4df39dcb308d37df4d58f0a50180b87a5a6a00e7f718410a993d

Download Submit
C:\ProgramData\DKEMUIIU\qiosUwIA.exe

Filesize
429KB

MD5
2a31d5f49d1c33f9b4d567479a91d735

SHA1
a69369645ed56d086b02067db7c3ce2374d8489e

SHA256
af8f0afbaf16059ad653d543e6dff13c0d3342e584201cf288f3fc4bdc9895eb

SHA512
f4dacadb9da233f0355e1bd65dbf028e664684ad99482b3cf4282d637f31a48dc0763e18dc5c4df39dcb308d37df4d58f0a50180b87a5a6a00e7f718410a993d

Download Submit
C:\ProgramData\zUQYgkIU\EAUMAwQo.exe

Filesize
433KB

MD5
7959c6e4b3647c126b301a0756c862c0

SHA1
cdccbf97275ac71f02d2c5d605afb0faeef3204d

SHA256
491b42922fb0cccf5eaa2ef255b0f739b468b830bce0d3ab3e8954527daa74c2

SHA512
24c3d5df0d629af8700ebce1f1406cb9f00126d28adedb25d70542397904e6d1fa830c60aaf9a0bfecdc8bf045ef0c5b629673cde3aa50d0c5c30c4ef9eb84ab

Download Submit
C:\ProgramData\zUQYgkIU\EAUMAwQo.exe

Filesize
433KB

MD5
7959c6e4b3647c126b301a0756c862c0

SHA1
cdccbf97275ac71f02d2c5d605afb0faeef3204d

SHA256
491b42922fb0cccf5eaa2ef255b0f739b468b830bce0d3ab3e8954527daa74c2

SHA512
24c3d5df0d629af8700ebce1f1406cb9f00126d28adedb25d70542397904e6d1fa830c60aaf9a0bfecdc8bf045ef0c5b629673cde3aa50d0c5c30c4ef9eb84ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgoUgcEw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICwAwEEk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JUsQsIEQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMQAUUso.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QuAMcoAY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SccgogUI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWsccMcg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VuAUUckk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIksYckM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XGIEwUcY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEcAMwYI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6c26f4c515207c52d123606bc1f820d28aa242c286ccc1e2e7a35e1e0b1498b

Filesize
6KB

MD5
672a1f1de82c3076688c129d2c89d0e2

SHA1
02e8f06ad6888c9fb28059f5eac065b7bbfdd365

SHA256
1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363

SHA512
e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioMMYkMw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcAEUgkY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\noMUcQww.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooUkUAQA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pekYUcgU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQgYkscA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uiUkUUUw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkYQMskg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuogksQk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\mqwkocQg\ACsMgMMY.exe

Filesize
434KB

MD5
229324b5e36be67ae46a4956cab848c0

SHA1
86d91eb768f68e2d92af1a8f090e78e100080c41

SHA256
05cc805ab070ee8b140e813bb77bdaf0ab5a6f2997cfaf62b42579023d32b277

SHA512
261a6c832f3f8e383f30827a70eeb756c001909a329fff0de1303d0b45a832ee5a4cdff7814a26606446c00429cabe7950ee75e0fd37c42b070264e60098855f

Download Submit
C:\Users\Admin\mqwkocQg\ACsMgMMY.exe

Filesize
434KB

MD5
229324b5e36be67ae46a4956cab848c0

SHA1
86d91eb768f68e2d92af1a8f090e78e100080c41

SHA256
05cc805ab070ee8b140e813bb77bdaf0ab5a6f2997cfaf62b42579023d32b277

SHA512
261a6c832f3f8e383f30827a70eeb756c001909a329fff0de1303d0b45a832ee5a4cdff7814a26606446c00429cabe7950ee75e0fd37c42b070264e60098855f

Download Submit
memory/8-283-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/8-285-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/116-291-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/204-267-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/340-314-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/540-143-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/540-301-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/708-190-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/740-142-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/740-300-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/824-308-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/824-309-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1028-323-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1100-263-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1116-209-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1116-201-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1220-224-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1220-235-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1368-295-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1472-297-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1600-303-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1600-167-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1656-241-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1860-259-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1860-258-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2040-223-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2128-299-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2128-141-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2164-318-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2252-271-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2844-279-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2888-254-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3016-306-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3116-320-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3116-321-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3168-319-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3176-292-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3272-317-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3272-316-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3440-305-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3440-304-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3452-296-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3452-132-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3512-312-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3512-313-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4016-156-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4020-294-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4020-293-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4048-245-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4212-250-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4212-246-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4220-275-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4304-302-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4480-178-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4480-165-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4520-307-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4544-315-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4644-311-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4708-284-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4708-288-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4780-298-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5004-310-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5088-322-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5104-200-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download