187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b

Analysis

max time kernel
176s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2022 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
Size

500KB
MD5

a0a5b2e9fdf92c51d6672b4f2d946680
SHA1

9f951018d47f5708f02febef6bcdac3ef83777ba
SHA256

187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
SHA512

05c86b291a0d0150a1270ed05c91bc4589a1bd891ec77ed977b6b5899116ad2f4da0708deaaadda551dbb6d29bd869fd900a81a531807520805953b2cb426f59
SSDEEP

12288:E1TNcnMSJBs71d0rSnPeOOdg+gOBZU+EkiHdk:KNcHJBs71ChbsHdk

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\uEAMwEAE\\eCUEQAMo.exe,"	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\uEAMwEAE\\eCUEQAMo.exe,"	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\uEAMwEAE\\eCUEQAMo.exe,C:\\ProgramData\\SMgIwYko\\gmMgcIIw.exe,"	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\uEAMwEAE\\eCUEQAMo.exe,C:\\ProgramData\\SMgIwYko\\gmMgcIIw.exe,"	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
4544	ZcoEgMsk.exe
1072	eCUEQAMo.exe
3136	GeowAokg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ZcoEgMsk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZcoEgMsk.exe = "C:\\Users\\Admin\\wQUEwYEU\\ZcoEgMsk.exe"	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eCUEQAMo.exe = "C:\\ProgramData\\uEAMwEAE\\eCUEQAMo.exe"	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZcoEgMsk.exe = "C:\\Users\\Admin\\wQUEwYEU\\ZcoEgMsk.exe"	ZcoEgMsk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eCUEQAMo.exe = "C:\\ProgramData\\uEAMwEAE\\eCUEQAMo.exe"	eCUEQAMo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eCUEQAMo.exe = "C:\\ProgramData\\uEAMwEAE\\eCUEQAMo.exe"	GeowAokg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GUsQEMco.exe = "C:\\Users\\Admin\\baQcEMMk\\GUsQEMco.exe"	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gmMgcIIw.exe = "C:\\ProgramData\\SMgIwYko\\gmMgcIIw.exe"	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shePingDebug.exe	ZcoEgMsk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\wQUEwYEU	GeowAokg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\wQUEwYEU\ZcoEgMsk	GeowAokg.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	ZcoEgMsk.exe
File opened for modification	C:\Windows\SysWOW64\sheDenyDismount.rar	ZcoEgMsk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
628	1640	WerFault.exe	1764
1092	540	WerFault.exe	1761
4040	4280	WerFault.exe	1766

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2216	reg.exe
3968	reg.exe
4240	reg.exe
1276	reg.exe
4900	reg.exe
1292	reg.exe
4844	reg.exe
4876	reg.exe
4324	reg.exe
2324	reg.exe
820	reg.exe
1668	reg.exe
3504	reg.exe
2940	reg.exe
4676	reg.exe
4856	reg.exe
4876	reg.exe
4572	reg.exe
1780	reg.exe
4824	reg.exe
1220	reg.exe
4432	reg.exe
4860	reg.exe
4168	reg.exe
5012	reg.exe
1596	reg.exe
4244	reg.exe
2220	reg.exe
2740	reg.exe
2800	reg.exe
2892	reg.exe
4276	reg.exe
1128	reg.exe
2696	reg.exe
5040	reg.exe
2852	reg.exe
3596	reg.exe
4680	reg.exe
828	reg.exe
2088	reg.exe
4080	reg.exe
4368	reg.exe
1332	reg.exe
3776	reg.exe
5084	reg.exe
4688	reg.exe
4432	reg.exe
4160	reg.exe
4660	reg.exe
4668	reg.exe
860	Process not Found
2204	reg.exe
4976	reg.exe
3256	reg.exe
4832	reg.exe
3604	reg.exe
4012	reg.exe
4560	reg.exe
4668	reg.exe
4432	reg.exe
3228	reg.exe
5032	reg.exe
3516	reg.exe
4400	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4240	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
4240	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
4240	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
4240	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
4384	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
4384	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
4384	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
4384	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3528	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3528	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3528	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3528	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3908	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3908	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3908	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3908	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3252	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3252	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3252	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3252	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
1440	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
1440	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
1440	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
1440	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3168	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3168	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3168	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3168	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
4360	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
4360	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
4360	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
4360	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3944	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3944	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3944	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3944	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3252	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3252	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3252	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3252	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
2840	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
2840	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
2840	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
2840	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
4044	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
4044	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
4044	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
4044	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
4868	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
4868	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
4868	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
4868	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3700	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3700	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3700	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3700	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
1768	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
1768	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
1768	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
1768	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3436	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3436	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3436	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
3436	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4544	ZcoEgMsk.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe
4544	ZcoEgMsk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 4544	4240	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	81
PID 4240 wrote to memory of 4544	4240	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	81
PID 4240 wrote to memory of 4544	4240	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	81
PID 4240 wrote to memory of 1072	4240	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	82
PID 4240 wrote to memory of 1072	4240	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	82
PID 4240 wrote to memory of 1072	4240	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	82
PID 4240 wrote to memory of 1284	4240	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	84
PID 4240 wrote to memory of 1284	4240	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	84
PID 4240 wrote to memory of 1284	4240	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	84
PID 4240 wrote to memory of 2160	4240	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	86
PID 4240 wrote to memory of 2160	4240	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	86
PID 4240 wrote to memory of 2160	4240	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	86
PID 1284 wrote to memory of 4384	1284	cmd.exe	87
PID 1284 wrote to memory of 4384	1284	cmd.exe	87
PID 1284 wrote to memory of 4384	1284	cmd.exe	87
PID 4240 wrote to memory of 1424	4240	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	92
PID 4240 wrote to memory of 1424	4240	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	92
PID 4240 wrote to memory of 1424	4240	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	92
PID 4240 wrote to memory of 4432	4240	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	89
PID 4240 wrote to memory of 4432	4240	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	89
PID 4240 wrote to memory of 4432	4240	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	89
PID 4384 wrote to memory of 436	4384	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	93
PID 4384 wrote to memory of 436	4384	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	93
PID 4384 wrote to memory of 436	4384	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	93
PID 436 wrote to memory of 3528	436	cmd.exe	95
PID 436 wrote to memory of 3528	436	cmd.exe	95
PID 436 wrote to memory of 3528	436	cmd.exe	95
PID 3528 wrote to memory of 3700	3528	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	96
PID 3528 wrote to memory of 3700	3528	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	96
PID 3528 wrote to memory of 3700	3528	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	96
PID 3700 wrote to memory of 3908	3700	cmd.exe	213
PID 3700 wrote to memory of 3908	3700	cmd.exe	213
PID 3700 wrote to memory of 3908	3700	cmd.exe	213
PID 4384 wrote to memory of 2092	4384	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	211
PID 4384 wrote to memory of 2092	4384	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	211
PID 4384 wrote to memory of 2092	4384	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	211
PID 3528 wrote to memory of 1980	3528	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	212
PID 3528 wrote to memory of 1980	3528	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	212
PID 3528 wrote to memory of 1980	3528	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	212
PID 3528 wrote to memory of 4844	3528	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	210
PID 3528 wrote to memory of 4844	3528	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	210
PID 3528 wrote to memory of 4844	3528	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	210
PID 3528 wrote to memory of 3432	3528	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	99
PID 3528 wrote to memory of 3432	3528	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	99
PID 3528 wrote to memory of 3432	3528	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	99
PID 4384 wrote to memory of 5072	4384	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	98
PID 4384 wrote to memory of 5072	4384	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	98
PID 4384 wrote to memory of 5072	4384	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	98
PID 3528 wrote to memory of 2116	3528	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	100
PID 3528 wrote to memory of 2116	3528	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	100
PID 3528 wrote to memory of 2116	3528	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	100
PID 4384 wrote to memory of 3360	4384	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	206
PID 4384 wrote to memory of 3360	4384	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	206
PID 4384 wrote to memory of 3360	4384	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	206
PID 4384 wrote to memory of 4304	4384	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	105
PID 4384 wrote to memory of 4304	4384	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	105
PID 4384 wrote to memory of 4304	4384	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	105
PID 3908 wrote to memory of 3188	3908	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	205
PID 3908 wrote to memory of 3188	3908	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	205
PID 3908 wrote to memory of 3188	3908	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	205
PID 3908 wrote to memory of 2652	3908	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	203
PID 3908 wrote to memory of 2652	3908	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	203
PID 3908 wrote to memory of 2652	3908	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	203
PID 3908 wrote to memory of 1452	3908	187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe	169

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe

C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
"C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Users\Admin\wQUEwYEU\ZcoEgMsk.exe
  "C:\Users\Admin\wQUEwYEU\ZcoEgMsk.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4544
- C:\ProgramData\uEAMwEAE\eCUEQAMo.exe
  "C:\ProgramData\uEAMwEAE\eCUEQAMo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
    C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:436
    - - C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3528
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3908
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:3432
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCgYkcss.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        6⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3456
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:4844
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1980
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:5072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\acMswMcI.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
      4⤵
      PID:4304
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3796
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3360
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2092
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2160
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4432
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKMQcIgw.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
  2⤵
  PID:4432
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4576

C:\ProgramData\XWcYQcoI\GeowAokg.exe
C:\ProgramData\XWcYQcoI\GeowAokg.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKcAIgUw.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
1⤵
PID:3472
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1152

C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
  2⤵
  PID:1276
- - C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
    C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3168
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3536
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYgMAAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
      4⤵
      PID:4836
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
      4⤵
      PID:4688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIAUgoAM.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
  2⤵
  PID:4636
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4444
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:800
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
  2⤵
  PID:1120
- - C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
    C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
    3⤵
    PID:3252
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
      4⤵
      PID:4620
    - - C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2840
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        6⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        8⤵
        
        PID:4504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        10⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        12⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        14⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        16⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        17⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        18⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        19⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        20⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        21⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        22⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        23⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        24⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        25⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        26⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        27⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        28⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        29⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        30⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        31⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        32⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        33⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        34⤵
        
        PID:260
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        35⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        36⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        37⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        38⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        39⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        40⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        41⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        42⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        43⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        44⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        45⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        46⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        47⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        48⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        49⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        50⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        51⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        52⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        53⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        54⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        55⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        56⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        57⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        58⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        59⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        60⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        61⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        62⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        63⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        64⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        65⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        66⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        67⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        68⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        69⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        70⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        71⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        72⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        73⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        74⤵
        
        PID:3480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        75⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        76⤵
        
        PID:4704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:424
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        77⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        78⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        79⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        80⤵
        
        PID:3132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        81⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        82⤵
        
        PID:3908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        83⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        84⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        85⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        86⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        87⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        88⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        89⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        90⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        91⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        92⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        93⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        94⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        95⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        96⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        97⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        98⤵
        
        PID:4784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        99⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        100⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        101⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        102⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        103⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        104⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        105⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        106⤵
        
        PID:4680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        107⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        108⤵
        
        PID:4848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        109⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        110⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        111⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        112⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        113⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        114⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        115⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        116⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        117⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        118⤵
        
        PID:3624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        119⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        120⤵
        
        PID:4380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        121⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        122⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        123⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        124⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        125⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        126⤵
        
        PID:4360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        127⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        128⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        129⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        130⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        131⤵
        
        PID:520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        132⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        133⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        134⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        135⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        136⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        137⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        138⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        139⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        140⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        141⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        142⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        143⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        144⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        145⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        146⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        147⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        148⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        149⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        150⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        151⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        152⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        153⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        154⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        155⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        156⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        157⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        158⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        159⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        160⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        161⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        162⤵
        
        PID:360
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        163⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        164⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        165⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        166⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        167⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        168⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        169⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        170⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        171⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        172⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        173⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        174⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        175⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        176⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        177⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        178⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        179⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        180⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        181⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        182⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        183⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        184⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        185⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        186⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        187⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        188⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        189⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        190⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        191⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        192⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        193⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        194⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        195⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        196⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        197⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        198⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        199⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        200⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        201⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        202⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        203⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        204⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        205⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        206⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        207⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        208⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        209⤵
        
        PID:176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        210⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        211⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        212⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        213⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        214⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        215⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        216⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        217⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        218⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        219⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        220⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        221⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        222⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        223⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        224⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        225⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        226⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        227⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        228⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        229⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        230⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        231⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        232⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        233⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        234⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        235⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        236⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        237⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        238⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        239⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        240⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        241⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        242⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        243⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        244⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        245⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        246⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        247⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        248⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        249⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        250⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        251⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        252⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        253⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        254⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        255⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        256⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        257⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        258⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        259⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        260⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        261⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        262⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
        
        C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
        263⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:1728
        
        C:\Users\Admin\baQcEMMk\GUsQEMco.exe
        
        "C:\Users\Admin\baQcEMMk\GUsQEMco.exe"
        264⤵
        
        PID:540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 224
        265⤵
        Program crash
        
        PID:1092
        
        C:\ProgramData\SMgIwYko\gmMgcIIw.exe
        
        "C:\ProgramData\SMgIwYko\gmMgcIIw.exe"
        264⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 380
        265⤵
        Program crash
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
        264⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SoQUEAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        262⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        Modifies registry key
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAEwgEwY.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        260⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        UAC bypass
        Modifies registry key
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKEIIswU.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        258⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        UAC bypass
        
        PID:520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        UAC bypass
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAsscEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        256⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QsQoAAMY.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        254⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQsEEogc.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        252⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        Modifies registry key
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QewUIkco.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        250⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        UAC bypass
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEkswUAE.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        248⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        Modifies registry key
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkEcMcUQ.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        246⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies registry key
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeYEAQkw.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        244⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIwcMQoY.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        242⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkAAUQYs.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        240⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\seoMEIMk.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        238⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIgIcUAc.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        236⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        Modifies registry key
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOwcUwAA.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        234⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        Modifies registry key
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOsIUYkc.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        232⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        Modifies registry key
        
        PID:4168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies registry key
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\siEQoAss.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        230⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUkAMQwQ.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        228⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        Modifies registry key
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jeQUwsQw.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        226⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        Modifies registry key
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nisIgQcE.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        224⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies registry key
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGoIIYwI.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        222⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ViEkIsgo.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        220⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        Modifies registry key
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\racAIMkk.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        218⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        Modifies registry key
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcIQgwco.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        216⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECkIgowo.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        214⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        Modifies registry key
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKYwQUgo.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        212⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAoAUEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        210⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        Modifies registry key
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYAcUAQo.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        208⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        Modifies registry key
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        Modifies registry key
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEwsQgcU.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        206⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        Modifies registry key
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies registry key
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSkUUMIY.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        204⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        Modifies registry key
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUssIQII.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        202⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WYYwwEQY.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        200⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        Modifies registry key
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SyoYEMgY.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        198⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIYQooQE.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        196⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmsMIoIw.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        194⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWMEAAUE.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        192⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HesccwYk.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        190⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        Modifies registry key
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOMwcMoo.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        188⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOYIAYwM.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        186⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fcgkosQY.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        184⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        Modifies registry key
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkMQAcYE.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        182⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dasIgwwE.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        180⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKQAMUMo.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        178⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgIsIkcM.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        176⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAQgUsgc.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        174⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOMAIAEE.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        172⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        Modifies registry key
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGQMYgEo.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        170⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PokAEIEQ.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        168⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZwgUYUEE.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        166⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgAEUUAs.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        164⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGkUogco.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        162⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgYMQYcg.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        160⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqkgosMA.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        158⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQAcEkwE.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        156⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEMwgUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        154⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMcEMokw.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        152⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIYoUYkg.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        150⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies registry key
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWcQAQwg.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        148⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOwMAIUs.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        146⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEgIIoMc.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        144⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        Modifies registry key
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYwgkwEQ.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        142⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaoQwMcs.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        140⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsMAEMkk.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        138⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEAgYgIE.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        136⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        Modifies registry key
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiUcsgIY.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        134⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        Modifies registry key
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mqUAUQYY.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        132⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgUoggYY.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        130⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOkUsUcA.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        128⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qokokUgc.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        126⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:4236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lyoYEEYU.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        124⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:2136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MagoIEIY.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        122⤵
        
        PID:2160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        UAC bypass
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:3672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TaggIowc.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        120⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmwAQskc.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        118⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYkIkgYw.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        Modifies registry key
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies registry key
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKIwIQMg.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        114⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        Modifies registry key
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSYEsoUg.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        112⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gaQckEAw.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        110⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qAgIAsgs.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        108⤵
        
        PID:4576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xWYgYoEQ.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        106⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EIkMcUIM.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        104⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:3088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        UAC bypass
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmwAggoc.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        102⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYcosgQM.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        100⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcssIEwU.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        98⤵
        
        PID:2344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tAUAAoEc.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        96⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies registry key
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\looEkowg.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        94⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XysYUYwI.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        92⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tiAIUMYE.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        90⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEsgkQgE.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        88⤵
        
        PID:2224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        Modifies registry key
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQggYkkQ.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        86⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tekkogwI.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        84⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCUUgQUg.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        82⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWcssQAs.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        80⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQcwEIMU.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        78⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tygUUoEM.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        76⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQksIQAc.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        74⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CacsAgAI.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        72⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:5012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGIYEkUw.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        70⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmgssEII.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        68⤵
        
        PID:2652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKkAMgUM.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        66⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MigggcUQ.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        64⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIkAYEkA.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        62⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKsEUkko.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        60⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        Modifies registry key
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies registry key
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TkAIUQYY.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        58⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:3624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies registry key
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQQIsoAs.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        56⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOwsQcYM.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        54⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        Modifies registry key
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies registry key
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rEUoskMs.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        52⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAwMskgI.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        50⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:4300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TkYoEIYA.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        48⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWswsscQ.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        46⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcAYoMcA.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        44⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOQIcQgY.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        42⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ruEEAMEk.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        40⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMMssook.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        38⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSwkAYQE.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        36⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCgQYYoU.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        34⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jIMEEUgU.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        32⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWEAsoQc.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        30⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQkAYgcY.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        28⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQowocYo.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        26⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUoAwMwQ.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        24⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqwUsUEI.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        22⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies registry key
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGUQAoAw.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        20⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWQYIYsk.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        18⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gSsMkMYY.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        16⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ieoMkcAw.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        14⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        Modifies registry key
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSkkUcUE.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        12⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies registry key
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIQwcUgk.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        10⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tsUgkkEA.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        8⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2708
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:3840
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4792
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4564
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aakUgwoA.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
        6⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmAAAgwA.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
      4⤵
      PID:3316
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4060
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4540
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2700
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\isgEsgMI.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
      4⤵
      PID:4464
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:3516
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2260
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1768
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
      4⤵
      PID:2196
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3908
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:796
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
    3⤵
    PID:3188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSsUMoYA.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
  2⤵
  PID:3716
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1668
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEIEUgsM.bat" "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe""
1⤵
PID:4400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b"
1⤵
PID:2824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b.exe
C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3252

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:3256

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1832
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 540 -ip 540
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1640 -ip 1640
1⤵
PID:4632

C:\ProgramData\RiUQUIQE\rkgEQgEo.exe
C:\ProgramData\RiUQUIQE\rkgEQgEo.exe
1⤵
PID:4280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 272
  2⤵
  - Program crash
  PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4280 -ip 4280
1⤵
PID:4584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\XWcYQcoI\GeowAokg.exe

Filesize
479KB

MD5
142b32d8154f39d8ed40343391b13b55

SHA1
65fa39688ee150844bbb5ef3b6829aa1a05748b3

SHA256
8d65fe2b468626616ee2c5b7b3fcd779a9db7b296bc03dadcd1fdbff57f4eaba

SHA512
7f01f7c2fb6868d67bfd938aefe65c7889324eb2e6f0b2f79d9b082ecba9f9c2fc2af8336c6683ad879418626d1fc66da7f5d3a01451b7bff05948ef8523ee76

Download Submit
C:\ProgramData\XWcYQcoI\GeowAokg.exe

Filesize
479KB

MD5
142b32d8154f39d8ed40343391b13b55

SHA1
65fa39688ee150844bbb5ef3b6829aa1a05748b3

SHA256
8d65fe2b468626616ee2c5b7b3fcd779a9db7b296bc03dadcd1fdbff57f4eaba

SHA512
7f01f7c2fb6868d67bfd938aefe65c7889324eb2e6f0b2f79d9b082ecba9f9c2fc2af8336c6683ad879418626d1fc66da7f5d3a01451b7bff05948ef8523ee76

Download Submit
C:\ProgramData\uEAMwEAE\eCUEQAMo.exe

Filesize
483KB

MD5
b83e8cfb192725b9692e6d17ce22c1b5

SHA1
7b70dda395753498844b4eda34170713518b6a6c

SHA256
d34f21cc8841efb17eb01486054cd8a34c7dd0f8eb10323c08f1b228e4a19cfe

SHA512
5f00efb8ada42a9fb269055240be4a829dd05221c8fad6952701e3b8c7d8e40c2e14ae26f742b88804237672550faf70a22391e2639c24c4474d9c78dc491762

Download Submit
C:\ProgramData\uEAMwEAE\eCUEQAMo.exe

Filesize
483KB

MD5
b83e8cfb192725b9692e6d17ce22c1b5

SHA1
7b70dda395753498844b4eda34170713518b6a6c

SHA256
d34f21cc8841efb17eb01486054cd8a34c7dd0f8eb10323c08f1b228e4a19cfe

SHA512
5f00efb8ada42a9fb269055240be4a829dd05221c8fad6952701e3b8c7d8e40c2e14ae26f742b88804237672550faf70a22391e2639c24c4474d9c78dc491762

Download Submit
C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\187917b0f0ff1aaed981b67b692624fc4a90b54cc612fb39eb29b2b935e2fe8b

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQowocYo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEIEUgsM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NqwUsUEI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PUoAwMwQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QGUQAoAw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YmAAAgwA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\aakUgwoA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\acMswMcI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKcAIgUw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gSsMkMYY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIAUgoAM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ieoMkcAw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\isgEsgMI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lSkkUcUE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pIQwcUgk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tCgYkcss.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsUgkkEA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vWQYIYsk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zSsUMoYA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYgMAAMQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\wQUEwYEU\ZcoEgMsk.exe

Filesize
480KB

MD5
edfeecc2a095d75df60b64f9fb2b29ce

SHA1
94805aeff45768420dcd4a10a94054c03d4fe54a

SHA256
815324542ef68d63a303fe8da15219fe96126f81c9bf31e9c386b768f979a6c6

SHA512
39bc258c5afc269badc6e2423afcf73af73799a6784ad111282a668a2b104dd73ebaa3f2f5ad4662f75b3ccd6cdfc08df72ee3d6c321eb6e61204ffa932c7fe7

Download Submit
C:\Users\Admin\wQUEwYEU\ZcoEgMsk.exe

Filesize
480KB

MD5
edfeecc2a095d75df60b64f9fb2b29ce

SHA1
94805aeff45768420dcd4a10a94054c03d4fe54a

SHA256
815324542ef68d63a303fe8da15219fe96126f81c9bf31e9c386b768f979a6c6

SHA512
39bc258c5afc269badc6e2423afcf73af73799a6784ad111282a668a2b104dd73ebaa3f2f5ad4662f75b3ccd6cdfc08df72ee3d6c321eb6e61204ffa932c7fe7

Download Submit
memory/384-307-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/388-220-0x0000000000000000-mapping.dmp

Download
memory/436-150-0x0000000000000000-mapping.dmp

Download
memory/620-277-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/796-171-0x0000000000000000-mapping.dmp

Download
memory/800-198-0x0000000000000000-mapping.dmp

Download
memory/868-317-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/868-318-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/920-305-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1000-308-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1012-320-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1072-252-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1072-136-0x0000000000000000-mapping.dmp

Download
memory/1072-142-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1120-229-0x0000000000000000-mapping.dmp

Download
memory/1152-181-0x0000000000000000-mapping.dmp

Download
memory/1260-231-0x0000000000000000-mapping.dmp

Download
memory/1276-195-0x0000000000000000-mapping.dmp

Download
memory/1284-144-0x0000000000000000-mapping.dmp

Download
memory/1380-211-0x0000000000000000-mapping.dmp

Download
memory/1424-147-0x0000000000000000-mapping.dmp

Download
memory/1440-186-0x0000000000000000-mapping.dmp

Download
memory/1440-202-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1452-170-0x0000000000000000-mapping.dmp

Download
memory/1556-303-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1556-321-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1556-322-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1640-315-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1668-233-0x0000000000000000-mapping.dmp

Download
memory/1768-269-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1768-185-0x0000000000000000-mapping.dmp

Download
memory/1768-267-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1808-314-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1868-196-0x0000000000000000-mapping.dmp

Download
memory/1868-282-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1868-286-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1876-210-0x0000000000000000-mapping.dmp

Download
memory/1924-219-0x0000000000000000-mapping.dmp

Download
memory/1980-158-0x0000000000000000-mapping.dmp

Download
memory/1984-300-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1984-301-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2092-157-0x0000000000000000-mapping.dmp

Download
memory/2116-162-0x0000000000000000-mapping.dmp

Download
memory/2156-309-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2156-310-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2160-145-0x0000000000000000-mapping.dmp

Download
memory/2196-184-0x0000000000000000-mapping.dmp

Download
memory/2260-187-0x0000000000000000-mapping.dmp

Download
memory/2652-169-0x0000000000000000-mapping.dmp

Download
memory/2696-221-0x0000000000000000-mapping.dmp

Download
memory/2816-297-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2816-295-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2820-298-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2824-218-0x0000000000000000-mapping.dmp

Download
memory/2840-247-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2840-312-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2840-313-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2948-216-0x0000000000000000-mapping.dmp

Download
memory/3136-253-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3136-143-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3168-197-0x0000000000000000-mapping.dmp

Download
memory/3168-201-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3168-213-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3188-168-0x0000000000000000-mapping.dmp

Download
memory/3252-243-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3252-240-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3252-236-0x0000000000000000-mapping.dmp

Download
memory/3252-190-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3252-176-0x0000000000000000-mapping.dmp

Download
memory/3360-163-0x0000000000000000-mapping.dmp

Download
memory/3432-160-0x0000000000000000-mapping.dmp

Download
memory/3436-273-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3456-182-0x0000000000000000-mapping.dmp

Download
memory/3472-172-0x0000000000000000-mapping.dmp

Download
memory/3516-188-0x0000000000000000-mapping.dmp

Download
memory/3528-164-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3528-156-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3528-151-0x0000000000000000-mapping.dmp

Download
memory/3536-209-0x0000000000000000-mapping.dmp

Download
memory/3592-302-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3700-263-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3700-153-0x0000000000000000-mapping.dmp

Download
memory/3716-234-0x0000000000000000-mapping.dmp

Download
memory/3736-323-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3796-180-0x0000000000000000-mapping.dmp

Download
memory/3908-155-0x0000000000000000-mapping.dmp

Download
memory/3908-174-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3908-232-0x0000000000000000-mapping.dmp

Download
memory/3944-226-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3944-235-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3944-223-0x0000000000000000-mapping.dmp

Download
memory/4044-255-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4044-249-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4064-319-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4148-306-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4148-304-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4240-132-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4240-250-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4256-281-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4304-165-0x0000000000000000-mapping.dmp

Download
memory/4332-290-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4360-208-0x0000000000000000-mapping.dmp

Download
memory/4360-224-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4384-146-0x0000000000000000-mapping.dmp

Download
memory/4384-166-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4384-154-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4400-222-0x0000000000000000-mapping.dmp

Download
memory/4432-148-0x0000000000000000-mapping.dmp

Download
memory/4436-238-0x0000000000000000-mapping.dmp

Download
memory/4444-199-0x0000000000000000-mapping.dmp

Download
memory/4464-189-0x0000000000000000-mapping.dmp

Download
memory/4544-133-0x0000000000000000-mapping.dmp

Download
memory/4544-141-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4544-251-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4620-242-0x0000000000000000-mapping.dmp

Download
memory/4636-200-0x0000000000000000-mapping.dmp

Download
memory/4636-311-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4688-204-0x0000000000000000-mapping.dmp

Download
memory/4808-299-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4836-212-0x0000000000000000-mapping.dmp

Download
memory/4844-159-0x0000000000000000-mapping.dmp

Download
memory/4848-207-0x0000000000000000-mapping.dmp

Download
memory/4860-193-0x0000000000000000-mapping.dmp

Download
memory/4868-260-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4892-230-0x0000000000000000-mapping.dmp

Download
memory/4956-316-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5072-161-0x0000000000000000-mapping.dmp

Download
memory/5116-294-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download