19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee

Analysis

max time kernel
156s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
Size

524KB
MD5

82d53ea60db2054be732976b27171110
SHA1

7b16dab41a0513d39638928131306eb0720c40e6
SHA256

19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
SHA512

cd689a4d26103487bafbfcf20871e14988b8effd3158dbf6847aa0a7d9a9289d84dc3933c08042be0580d6101b16c65f7406f6b0a4a6de08109af47181fb9987
SSDEEP

12288:oDc/RxkurT41MhWI40TGHGO60NQzYtugp0pfUbWK0C3TC3zk:b4Gi6GHXNQzYtugn/

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\vsMkoQsc\\CYQUoccs.exe,C:\\ProgramData\\diIsEgMY\\BKkkgMUY.exe,"	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\vsMkoQsc\\CYQUoccs.exe,C:\\ProgramData\\diIsEgMY\\BKkkgMUY.exe,"	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\vsMkoQsc\\CYQUoccs.exe,"	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\vsMkoQsc\\CYQUoccs.exe,"	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
5016	DQgAYIQQ.exe
5048	CYQUoccs.exe
3232	YAYEoAYs.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	CYQUoccs.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BKkkgMUY.exe = "C:\\ProgramData\\diIsEgMY\\BKkkgMUY.exe"	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DQgAYIQQ.exe = "C:\\Users\\Admin\\wCAAcwss\\DQgAYIQQ.exe"	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CYQUoccs.exe = "C:\\ProgramData\\vsMkoQsc\\CYQUoccs.exe"	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DQgAYIQQ.exe = "C:\\Users\\Admin\\wCAAcwss\\DQgAYIQQ.exe"	DQgAYIQQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CYQUoccs.exe = "C:\\ProgramData\\vsMkoQsc\\CYQUoccs.exe"	CYQUoccs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CYQUoccs.exe = "C:\\ProgramData\\vsMkoQsc\\CYQUoccs.exe"	YAYEoAYs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OWcEgAUk.exe = "C:\\Users\\Admin\\fksIMMsw\\OWcEgAUk.exe"	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\wCAAcwss	YAYEoAYs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\wCAAcwss\DQgAYIQQ	YAYEoAYs.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	CYQUoccs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4900	3328	WerFault.exe	1437
224	4092	WerFault.exe	1435
772	4824	WerFault.exe	1436

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
756	reg.exe
4964	reg.exe
2388	reg.exe
3156	reg.exe
4140	reg.exe
2816	reg.exe
208	reg.exe
4516	reg.exe
1276	reg.exe
3212	reg.exe
4552	reg.exe
4520	reg.exe
1512	reg.exe
4500	reg.exe
4316	reg.exe
3016	reg.exe
1224	reg.exe
4840	reg.exe
2272	reg.exe
4568	reg.exe
2800	reg.exe
3224	reg.exe
5088	reg.exe
1960	reg.exe
3216	reg.exe
1428	reg.exe
2356	reg.exe
4732	reg.exe
5036	reg.exe
4964	reg.exe
2032	reg.exe
3396	reg.exe
1288	reg.exe
3588	reg.exe
1876	reg.exe
1792	reg.exe
4676	reg.exe
1648	reg.exe
4848	reg.exe
2812	reg.exe
4340	reg.exe
1412	reg.exe
3448	reg.exe
4812	reg.exe
224	reg.exe
4704	reg.exe
3356	reg.exe
1564	reg.exe
536	reg.exe
2816	reg.exe
3972	reg.exe
3932	reg.exe
1788	reg.exe
1264	reg.exe
1380	reg.exe
2492	reg.exe
2492	reg.exe
3344	reg.exe
3172	reg.exe
3976	reg.exe
4532	reg.exe
4752	reg.exe
1048	reg.exe
2832	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2424	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
2424	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
2424	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
2424	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
748	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
748	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
748	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
748	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
4784	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
4784	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
4784	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
4784	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
4512	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
4512	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
4512	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
4512	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
1484	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
1484	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
1484	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
1484	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
1432	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
1432	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
1432	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
1432	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
1460	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
1460	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
1460	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
1460	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
2032	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
2032	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
2032	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
2032	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
4864	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
4864	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
4864	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
4864	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
4596	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
4596	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
4596	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
4596	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
2756	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
2756	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
2756	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
2756	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
1432	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
1432	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
1432	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
1432	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
4276	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
4276	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
4276	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
4276	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
2288	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
2288	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
2288	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
2288	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
216	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
216	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
216	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
216	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
4772	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
4772	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
4772	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
4772	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5048	CYQUoccs.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe
5048	CYQUoccs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 5016	2424	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	79
PID 2424 wrote to memory of 5016	2424	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	79
PID 2424 wrote to memory of 5016	2424	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	79
PID 2424 wrote to memory of 5048	2424	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	80
PID 2424 wrote to memory of 5048	2424	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	80
PID 2424 wrote to memory of 5048	2424	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	80
PID 2424 wrote to memory of 4312	2424	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	82
PID 2424 wrote to memory of 4312	2424	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	82
PID 2424 wrote to memory of 4312	2424	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	82
PID 2424 wrote to memory of 4308	2424	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	83
PID 2424 wrote to memory of 4308	2424	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	83
PID 2424 wrote to memory of 4308	2424	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	83
PID 2424 wrote to memory of 4276	2424	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	84
PID 2424 wrote to memory of 4276	2424	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	84
PID 2424 wrote to memory of 4276	2424	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	84
PID 2424 wrote to memory of 2800	2424	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	85
PID 2424 wrote to memory of 2800	2424	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	85
PID 2424 wrote to memory of 2800	2424	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	85
PID 4312 wrote to memory of 748	4312	cmd.exe	90
PID 4312 wrote to memory of 748	4312	cmd.exe	90
PID 4312 wrote to memory of 748	4312	cmd.exe	90
PID 748 wrote to memory of 100	748	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	91
PID 748 wrote to memory of 100	748	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	91
PID 748 wrote to memory of 100	748	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	91
PID 100 wrote to memory of 4784	100	cmd.exe	93
PID 100 wrote to memory of 4784	100	cmd.exe	93
PID 100 wrote to memory of 4784	100	cmd.exe	93
PID 748 wrote to memory of 4316	748	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	94
PID 748 wrote to memory of 4316	748	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	94
PID 748 wrote to memory of 4316	748	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	94
PID 748 wrote to memory of 2492	748	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	96
PID 748 wrote to memory of 2492	748	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	96
PID 748 wrote to memory of 2492	748	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	96
PID 748 wrote to memory of 1692	748	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	98
PID 748 wrote to memory of 1692	748	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	98
PID 748 wrote to memory of 1692	748	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	98
PID 748 wrote to memory of 2004	748	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	100
PID 748 wrote to memory of 2004	748	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	100
PID 748 wrote to memory of 2004	748	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	100
PID 4784 wrote to memory of 4228	4784	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	102
PID 4784 wrote to memory of 4228	4784	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	102
PID 4784 wrote to memory of 4228	4784	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	102
PID 4784 wrote to memory of 2052	4784	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	104
PID 4784 wrote to memory of 2052	4784	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	104
PID 4784 wrote to memory of 2052	4784	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	104
PID 4784 wrote to memory of 440	4784	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	106
PID 4784 wrote to memory of 440	4784	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	106
PID 4784 wrote to memory of 440	4784	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	106
PID 4784 wrote to memory of 3348	4784	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	107
PID 4784 wrote to memory of 3348	4784	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	107
PID 4784 wrote to memory of 3348	4784	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	107
PID 4228 wrote to memory of 4512	4228	cmd.exe	108
PID 4228 wrote to memory of 4512	4228	cmd.exe	108
PID 4228 wrote to memory of 4512	4228	cmd.exe	108
PID 4784 wrote to memory of 952	4784	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	111
PID 4784 wrote to memory of 952	4784	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	111
PID 4784 wrote to memory of 952	4784	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	111
PID 2004 wrote to memory of 3588	2004	cmd.exe	114
PID 2004 wrote to memory of 3588	2004	cmd.exe	114
PID 2004 wrote to memory of 3588	2004	cmd.exe	114
PID 952 wrote to memory of 3876	952	cmd.exe	113
PID 952 wrote to memory of 3876	952	cmd.exe	113
PID 952 wrote to memory of 3876	952	cmd.exe	113
PID 4512 wrote to memory of 1564	4512	19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe	115

C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
"C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\wCAAcwss\DQgAYIQQ.exe
  "C:\Users\Admin\wCAAcwss\DQgAYIQQ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5016
- C:\ProgramData\vsMkoQsc\CYQUoccs.exe
  "C:\ProgramData\vsMkoQsc\CYQUoccs.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:5048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
    C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:100
    - - C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4784
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        8⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        10⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        12⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        14⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        16⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        18⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        20⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        22⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        24⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        26⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        28⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        30⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        32⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        33⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        34⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        35⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        36⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        37⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        38⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        39⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        40⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        41⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        42⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        43⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        44⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        45⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        46⤵
        
        PID:508
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        47⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        48⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        49⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        50⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        51⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        52⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        53⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        54⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        55⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        56⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        57⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        58⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        59⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        60⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        61⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        62⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        63⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        64⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        65⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        66⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        67⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        68⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        69⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        70⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        71⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        72⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        73⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        74⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        75⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        76⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        77⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        78⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        79⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        80⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        81⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        82⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        83⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        84⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        85⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        86⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        87⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        88⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        89⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        90⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        91⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        92⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        93⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        94⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        95⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        96⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        97⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        98⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        99⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        100⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        101⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        102⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        103⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        104⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        105⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        106⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        107⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        108⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        109⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        110⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        111⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        112⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        113⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        114⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        115⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        116⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        117⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        118⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        119⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        120⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        121⤵
        
        PID:728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        122⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        123⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        124⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        125⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        126⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        127⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        128⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        129⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        130⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        131⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        132⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        133⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        134⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        135⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        136⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        137⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        138⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        139⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        140⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        141⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        142⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        143⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        144⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        145⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        146⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        147⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        148⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        149⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        150⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        151⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        152⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        153⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        154⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        155⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        156⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        157⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        158⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        159⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        160⤵
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        161⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        162⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        163⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        164⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        165⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        166⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        167⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        168⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        169⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        170⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        171⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        172⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        173⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        174⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        175⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        176⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        177⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        178⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        179⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        180⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        181⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        182⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        183⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        184⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        185⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        186⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        187⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        188⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        189⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        190⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        191⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        192⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        193⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        194⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        195⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        196⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        197⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        198⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        199⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        200⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        201⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        202⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        203⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        204⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        205⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        206⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        207⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        208⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        209⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        210⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        211⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        212⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        213⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        214⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        215⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        216⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        217⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        218⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        219⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        220⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        221⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        222⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        223⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        224⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        225⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:536
        
        C:\Users\Admin\fksIMMsw\OWcEgAUk.exe
        
        "C:\Users\Admin\fksIMMsw\OWcEgAUk.exe"
        226⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 264
        227⤵
        Program crash
        
        PID:224
        
        C:\ProgramData\diIsEgMY\BKkkgMUY.exe
        
        "C:\ProgramData\diIsEgMY\BKkkgMUY.exe"
        226⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 284
        227⤵
        Program crash
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee"
        226⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe
        
        C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee
        227⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        Modifies registry key
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tyEwwMwI.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        226⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUEsYcck.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        224⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IocIMwcs.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        222⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        Modifies registry key
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUMcUokE.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        220⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOcgQIkA.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        218⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEgIAQEg.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        216⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        Modifies registry key
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWQgAwIk.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        214⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        Modifies registry key
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xasoIMMU.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        212⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wqYwwsow.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        210⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NeUMYsQo.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        208⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okQQEMoE.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        206⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        Modifies registry key
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIEIQMcU.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        204⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAwIIAEY.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        202⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCwkMEAo.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        200⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQQYMssY.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        198⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        Modifies registry key
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kagAYYEI.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        196⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uggsEAwc.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        194⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies registry key
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwAUcokM.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        192⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wucYsccA.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        190⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZmssMIwg.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        188⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKoMoEYk.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        186⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        Modifies registry key
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEwgkwYM.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        184⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gioAAEsU.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        182⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUgUkcUE.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        180⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgwoYEgM.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        178⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMwgQMAk.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        176⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWEoockQ.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        174⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ssUgQEoo.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        172⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYUcQwYA.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        170⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOYoQoMI.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        168⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oIQAYQcE.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        166⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyoYgEQU.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        164⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAIIgQQw.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        162⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        Modifies registry key
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        Modifies registry key
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emwwgYkk.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        160⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmwMAIkU.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        158⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuokQQgY.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        156⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        Modifies registry key
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICUgIEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        154⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        Modifies registry key
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEMEgkAc.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        152⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        Modifies registry key
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NyAsEskc.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        150⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        Modifies registry key
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmIswcIo.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        148⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        Modifies registry key
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        Modifies registry key
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HssYIMos.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        146⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwEcUYgc.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        144⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        Modifies registry key
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEoMUock.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        142⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        Modifies registry key
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        Modifies registry key
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XoEAckkU.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        140⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYMYQEkI.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        138⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUQwAscE.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        136⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BioEswcA.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        134⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEMUoggo.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        132⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JwocgQsY.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        130⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwEIsggI.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        128⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKYIoIow.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        126⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMksgYsE.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        124⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQIUccMI.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        122⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIkooMQM.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        120⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies registry key
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vsoIEYsg.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        118⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        Modifies registry key
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DyMIsoIU.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        116⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies registry key
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies registry key
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROQwoQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        114⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        Modifies registry key
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SucAcosU.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        112⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMMccosY.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        110⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAwUgkcw.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        108⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies registry key
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWkkcoQw.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        106⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        Modifies registry key
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGsYocAQ.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        104⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        Modifies registry key
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuEUAUkI.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        102⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKwEsoUg.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        100⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EeMEoMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        98⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAckIQso.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        96⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baUUQwIk.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        94⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIcIAsks.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        92⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\byQsEsUM.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        90⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMAwEYgE.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        88⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCsswEYQ.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        86⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JygMQYUs.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        84⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yoAYoYIY.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        82⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSIsUUYw.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        80⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqsggMAg.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        78⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkcgAUgw.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        76⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OSoIsocw.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        74⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmAwUUoc.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        72⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUYgIkoA.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        70⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEwEYAsM.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        68⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcIAIkUo.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        66⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DuEcUUYc.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        64⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUIAwwMI.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        62⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCAkskcE.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        60⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smgcIUoU.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        58⤵
        
        PID:612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        Modifies registry key
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsIIEkkU.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        56⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYYkggUA.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        54⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkgAUEEQ.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        52⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BegAIQUA.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        50⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies registry key
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        Modifies registry key
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOsUIgUg.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        48⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PkEAEQYU.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        46⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hewIwMAo.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        44⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YwcIUIIE.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        42⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROksIQAA.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        40⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies registry key
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEkUwcoU.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        38⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwcksUYw.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        36⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SaEAwYUg.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        34⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wusAwock.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        32⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HuEgEgAY.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        30⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKkYwwUo.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        28⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyEUwQII.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        26⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogYoYYMc.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        24⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQQQUoYU.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        22⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        Modifies registry key
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies registry key
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\acwsgwMc.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        20⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PuccQUAs.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        18⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies registry key
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSgkEIAc.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        16⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\moYwoMgo.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        14⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MyoUsMMI.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        12⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyEAcosU.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        10⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        Modifies registry key
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWYEcAMk.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        8⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1400
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2052
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:440
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:3348
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MaAwMQss.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3876
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4316
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2492
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYEoIEos.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3588
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4308
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4276
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAUYEUQI.bat" "C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee.exe""
  2⤵
  PID:808
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4780

C:\ProgramData\kUYwwEQM\YAYEoAYs.exe
C:\ProgramData\kUYwwEQM\YAYEoAYs.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3232

C:\ProgramData\ZIgQIIgk\awIckgcg.exe
C:\ProgramData\ZIgQIIgk\awIckgcg.exe
1⤵
PID:3328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 404
  2⤵
  - Program crash
  PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4824 -ip 4824
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3328 -ip 3328
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4092 -ip 4092
1⤵
PID:2416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kUYwwEQM\YAYEoAYs.exe

Filesize
482KB

MD5
e70cabf265933bd9030d7c866fc49592

SHA1
03f7b03c8629c55b4068684cd3801f4885650b81

SHA256
54259fde1ea7aab9c22720b8762e9bb640db228637de9b11adebc572c2900ba8

SHA512
b76c2ebd3495850dec2f980a4470a518da447c8139be94edba63e1c3629cc28c10b00d064820c8bb0c1e0511fde93dff386bc87e8414664ced0f8430e2b35d48

Download Submit
C:\ProgramData\kUYwwEQM\YAYEoAYs.exe

Filesize
482KB

MD5
e70cabf265933bd9030d7c866fc49592

SHA1
03f7b03c8629c55b4068684cd3801f4885650b81

SHA256
54259fde1ea7aab9c22720b8762e9bb640db228637de9b11adebc572c2900ba8

SHA512
b76c2ebd3495850dec2f980a4470a518da447c8139be94edba63e1c3629cc28c10b00d064820c8bb0c1e0511fde93dff386bc87e8414664ced0f8430e2b35d48

Download Submit
C:\ProgramData\vsMkoQsc\CYQUoccs.exe

Filesize
478KB

MD5
65c55b4c62a57d9dfe40600a6c0f6693

SHA1
f669461cd334e64f12da4ad9518e3ed09ba5b458

SHA256
ecffa800aaaf60782caa50881a1737d5a932e872e36ac3e969c64c906b56d841

SHA512
127db44e359cdedaac2c53912a4e797e8139100707cfe8691281b35aae707b5518f62884508a52e75462f8088ee6c5f4bf38e1ff50c9fb3e30e8eb6daf66ec89

Download Submit
C:\ProgramData\vsMkoQsc\CYQUoccs.exe

Filesize
478KB

MD5
65c55b4c62a57d9dfe40600a6c0f6693

SHA1
f669461cd334e64f12da4ad9518e3ed09ba5b458

SHA256
ecffa800aaaf60782caa50881a1737d5a932e872e36ac3e969c64c906b56d841

SHA512
127db44e359cdedaac2c53912a4e797e8139100707cfe8691281b35aae707b5518f62884508a52e75462f8088ee6c5f4bf38e1ff50c9fb3e30e8eb6daf66ec89

Download Submit
C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee

Filesize
37KB

MD5
895f1104e0efe385bd73f8b1a70244db

SHA1
d3105502dd3006873af0de96eeab033076a85c74

SHA256
99ba1fcfeb83c781b1dd3d1a22007de6ede3e862f8f01ce7077d5d0908c0385a

SHA512
ab2c413556655e2c33fa03a77721535318faf851c41137621c2e892e9851e360abe88c41400e2595439d64859254b57ec1d4af3466b7bfd5bac63866b0b3960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee

Filesize
37KB

MD5
895f1104e0efe385bd73f8b1a70244db

SHA1
d3105502dd3006873af0de96eeab033076a85c74

SHA256
99ba1fcfeb83c781b1dd3d1a22007de6ede3e862f8f01ce7077d5d0908c0385a

SHA512
ab2c413556655e2c33fa03a77721535318faf851c41137621c2e892e9851e360abe88c41400e2595439d64859254b57ec1d4af3466b7bfd5bac63866b0b3960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee

Filesize
37KB

MD5
895f1104e0efe385bd73f8b1a70244db

SHA1
d3105502dd3006873af0de96eeab033076a85c74

SHA256
99ba1fcfeb83c781b1dd3d1a22007de6ede3e862f8f01ce7077d5d0908c0385a

SHA512
ab2c413556655e2c33fa03a77721535318faf851c41137621c2e892e9851e360abe88c41400e2595439d64859254b57ec1d4af3466b7bfd5bac63866b0b3960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee

Filesize
37KB

MD5
895f1104e0efe385bd73f8b1a70244db

SHA1
d3105502dd3006873af0de96eeab033076a85c74

SHA256
99ba1fcfeb83c781b1dd3d1a22007de6ede3e862f8f01ce7077d5d0908c0385a

SHA512
ab2c413556655e2c33fa03a77721535318faf851c41137621c2e892e9851e360abe88c41400e2595439d64859254b57ec1d4af3466b7bfd5bac63866b0b3960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee

Filesize
37KB

MD5
895f1104e0efe385bd73f8b1a70244db

SHA1
d3105502dd3006873af0de96eeab033076a85c74

SHA256
99ba1fcfeb83c781b1dd3d1a22007de6ede3e862f8f01ce7077d5d0908c0385a

SHA512
ab2c413556655e2c33fa03a77721535318faf851c41137621c2e892e9851e360abe88c41400e2595439d64859254b57ec1d4af3466b7bfd5bac63866b0b3960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee

Filesize
37KB

MD5
895f1104e0efe385bd73f8b1a70244db

SHA1
d3105502dd3006873af0de96eeab033076a85c74

SHA256
99ba1fcfeb83c781b1dd3d1a22007de6ede3e862f8f01ce7077d5d0908c0385a

SHA512
ab2c413556655e2c33fa03a77721535318faf851c41137621c2e892e9851e360abe88c41400e2595439d64859254b57ec1d4af3466b7bfd5bac63866b0b3960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee

Filesize
37KB

MD5
895f1104e0efe385bd73f8b1a70244db

SHA1
d3105502dd3006873af0de96eeab033076a85c74

SHA256
99ba1fcfeb83c781b1dd3d1a22007de6ede3e862f8f01ce7077d5d0908c0385a

SHA512
ab2c413556655e2c33fa03a77721535318faf851c41137621c2e892e9851e360abe88c41400e2595439d64859254b57ec1d4af3466b7bfd5bac63866b0b3960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee

Filesize
37KB

MD5
895f1104e0efe385bd73f8b1a70244db

SHA1
d3105502dd3006873af0de96eeab033076a85c74

SHA256
99ba1fcfeb83c781b1dd3d1a22007de6ede3e862f8f01ce7077d5d0908c0385a

SHA512
ab2c413556655e2c33fa03a77721535318faf851c41137621c2e892e9851e360abe88c41400e2595439d64859254b57ec1d4af3466b7bfd5bac63866b0b3960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee

Filesize
37KB

MD5
895f1104e0efe385bd73f8b1a70244db

SHA1
d3105502dd3006873af0de96eeab033076a85c74

SHA256
99ba1fcfeb83c781b1dd3d1a22007de6ede3e862f8f01ce7077d5d0908c0385a

SHA512
ab2c413556655e2c33fa03a77721535318faf851c41137621c2e892e9851e360abe88c41400e2595439d64859254b57ec1d4af3466b7bfd5bac63866b0b3960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee

Filesize
37KB

MD5
895f1104e0efe385bd73f8b1a70244db

SHA1
d3105502dd3006873af0de96eeab033076a85c74

SHA256
99ba1fcfeb83c781b1dd3d1a22007de6ede3e862f8f01ce7077d5d0908c0385a

SHA512
ab2c413556655e2c33fa03a77721535318faf851c41137621c2e892e9851e360abe88c41400e2595439d64859254b57ec1d4af3466b7bfd5bac63866b0b3960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee

Filesize
37KB

MD5
895f1104e0efe385bd73f8b1a70244db

SHA1
d3105502dd3006873af0de96eeab033076a85c74

SHA256
99ba1fcfeb83c781b1dd3d1a22007de6ede3e862f8f01ce7077d5d0908c0385a

SHA512
ab2c413556655e2c33fa03a77721535318faf851c41137621c2e892e9851e360abe88c41400e2595439d64859254b57ec1d4af3466b7bfd5bac63866b0b3960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee

Filesize
37KB

MD5
895f1104e0efe385bd73f8b1a70244db

SHA1
d3105502dd3006873af0de96eeab033076a85c74

SHA256
99ba1fcfeb83c781b1dd3d1a22007de6ede3e862f8f01ce7077d5d0908c0385a

SHA512
ab2c413556655e2c33fa03a77721535318faf851c41137621c2e892e9851e360abe88c41400e2595439d64859254b57ec1d4af3466b7bfd5bac63866b0b3960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee

Filesize
37KB

MD5
895f1104e0efe385bd73f8b1a70244db

SHA1
d3105502dd3006873af0de96eeab033076a85c74

SHA256
99ba1fcfeb83c781b1dd3d1a22007de6ede3e862f8f01ce7077d5d0908c0385a

SHA512
ab2c413556655e2c33fa03a77721535318faf851c41137621c2e892e9851e360abe88c41400e2595439d64859254b57ec1d4af3466b7bfd5bac63866b0b3960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee

Filesize
37KB

MD5
895f1104e0efe385bd73f8b1a70244db

SHA1
d3105502dd3006873af0de96eeab033076a85c74

SHA256
99ba1fcfeb83c781b1dd3d1a22007de6ede3e862f8f01ce7077d5d0908c0385a

SHA512
ab2c413556655e2c33fa03a77721535318faf851c41137621c2e892e9851e360abe88c41400e2595439d64859254b57ec1d4af3466b7bfd5bac63866b0b3960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee

Filesize
37KB

MD5
895f1104e0efe385bd73f8b1a70244db

SHA1
d3105502dd3006873af0de96eeab033076a85c74

SHA256
99ba1fcfeb83c781b1dd3d1a22007de6ede3e862f8f01ce7077d5d0908c0385a

SHA512
ab2c413556655e2c33fa03a77721535318faf851c41137621c2e892e9851e360abe88c41400e2595439d64859254b57ec1d4af3466b7bfd5bac63866b0b3960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee

Filesize
37KB

MD5
895f1104e0efe385bd73f8b1a70244db

SHA1
d3105502dd3006873af0de96eeab033076a85c74

SHA256
99ba1fcfeb83c781b1dd3d1a22007de6ede3e862f8f01ce7077d5d0908c0385a

SHA512
ab2c413556655e2c33fa03a77721535318faf851c41137621c2e892e9851e360abe88c41400e2595439d64859254b57ec1d4af3466b7bfd5bac63866b0b3960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee

Filesize
37KB

MD5
895f1104e0efe385bd73f8b1a70244db

SHA1
d3105502dd3006873af0de96eeab033076a85c74

SHA256
99ba1fcfeb83c781b1dd3d1a22007de6ede3e862f8f01ce7077d5d0908c0385a

SHA512
ab2c413556655e2c33fa03a77721535318faf851c41137621c2e892e9851e360abe88c41400e2595439d64859254b57ec1d4af3466b7bfd5bac63866b0b3960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee

Filesize
37KB

MD5
895f1104e0efe385bd73f8b1a70244db

SHA1
d3105502dd3006873af0de96eeab033076a85c74

SHA256
99ba1fcfeb83c781b1dd3d1a22007de6ede3e862f8f01ce7077d5d0908c0385a

SHA512
ab2c413556655e2c33fa03a77721535318faf851c41137621c2e892e9851e360abe88c41400e2595439d64859254b57ec1d4af3466b7bfd5bac63866b0b3960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee

Filesize
37KB

MD5
895f1104e0efe385bd73f8b1a70244db

SHA1
d3105502dd3006873af0de96eeab033076a85c74

SHA256
99ba1fcfeb83c781b1dd3d1a22007de6ede3e862f8f01ce7077d5d0908c0385a

SHA512
ab2c413556655e2c33fa03a77721535318faf851c41137621c2e892e9851e360abe88c41400e2595439d64859254b57ec1d4af3466b7bfd5bac63866b0b3960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee

Filesize
37KB

MD5
895f1104e0efe385bd73f8b1a70244db

SHA1
d3105502dd3006873af0de96eeab033076a85c74

SHA256
99ba1fcfeb83c781b1dd3d1a22007de6ede3e862f8f01ce7077d5d0908c0385a

SHA512
ab2c413556655e2c33fa03a77721535318faf851c41137621c2e892e9851e360abe88c41400e2595439d64859254b57ec1d4af3466b7bfd5bac63866b0b3960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\19480efc82f9d520c52905cef3467d4eacd6557915bb1e3574fbdfaf08b1ccee

Filesize
37KB

MD5
895f1104e0efe385bd73f8b1a70244db

SHA1
d3105502dd3006873af0de96eeab033076a85c74

SHA256
99ba1fcfeb83c781b1dd3d1a22007de6ede3e862f8f01ce7077d5d0908c0385a

SHA512
ab2c413556655e2c33fa03a77721535318faf851c41137621c2e892e9851e360abe88c41400e2595439d64859254b57ec1d4af3466b7bfd5bac63866b0b3960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HuEgEgAY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQQQUoYU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MaAwMQss.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MyoUsMMI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PuccQUAs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ROksIQAA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SaEAwYUg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YWYEcAMk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwcIUIIE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\acwsgwMc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEkUwcoU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyEUwQII.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lSgkEIAc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\moYwoMgo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwcksUYw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYEoIEos.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogYoYYMc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pKkYwwUo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyEAcosU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wusAwock.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\wCAAcwss\DQgAYIQQ.exe

Filesize
482KB

MD5
5b0781f26bb09bcbdb82da48b944c50f

SHA1
1fce9b1c534c88a81804b3a25c4b53a3e5d283cb

SHA256
3f2948514b953404aa7b3e0b5619444753ead91bfc4c99918b904721e0bda9f5

SHA512
f76c5c69b724500c2df478aa0e003de06e13d3d08c0e84468d16c21003dc8e65c0ec6e9b9c92f1aa8a9757d9ddd945e57c1801742824bfd6037ddae796e1dc6f

Download Submit
C:\Users\Admin\wCAAcwss\DQgAYIQQ.exe

Filesize
482KB

MD5
5b0781f26bb09bcbdb82da48b944c50f

SHA1
1fce9b1c534c88a81804b3a25c4b53a3e5d283cb

SHA256
3f2948514b953404aa7b3e0b5619444753ead91bfc4c99918b904721e0bda9f5

SHA512
f76c5c69b724500c2df478aa0e003de06e13d3d08c0e84468d16c21003dc8e65c0ec6e9b9c92f1aa8a9757d9ddd945e57c1801742824bfd6037ddae796e1dc6f

Download Submit
memory/216-259-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/224-296-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/224-297-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/388-308-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/624-323-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/748-161-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/828-316-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/928-301-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1012-270-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1084-295-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1120-276-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1120-272-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1400-303-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1432-248-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1432-201-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1432-245-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1460-202-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1460-211-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1484-187-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1484-189-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1564-298-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1996-306-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2032-223-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2064-318-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2064-317-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2288-310-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2288-311-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2288-257-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2424-313-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2424-132-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2424-271-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2636-314-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2756-244-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2844-307-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3000-280-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3016-300-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3016-299-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3232-143-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3380-322-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3380-321-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3392-309-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3560-290-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3568-283-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3568-286-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3672-319-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3896-320-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3976-302-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3984-315-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4276-253-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4492-312-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4512-178-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4568-305-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4568-304-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4596-240-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4596-236-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4772-266-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4772-261-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4784-166-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4784-162-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4864-232-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5016-141-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5016-281-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5048-142-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/5048-282-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download