c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598

Analysis

max time kernel
151s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
Size

494KB
MD5

83f046f6f230a07eab101ed3331344f0
SHA1

96b3f91c5078aa888e5891b7ec6535f0f3549d9c
SHA256

c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
SHA512

fe0bf74b3d024bdd4223e16579923d9ae3b677fa11f5e625147cda79ea08376b040387a25b1317e205ceed4d537659de3b88ec68a9ff2a31a169aa0c8974062b
SSDEEP

12288:gKd82tx6ZWoLX6sg8v4h3HMVt30pgz70B+YqykNuc:jhsxLXRY3sV67Fkl

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\iIoQcAsM\\sCQsQssk.exe,"	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\iIoQcAsM\\sCQsQssk.exe,"	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2440	nIQUkoQY.exe
2396	sCQsQssk.exe
2116	xEwoIQwk.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	nIQUkoQY.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nIQUkoQY.exe = "C:\\Users\\Admin\\pKcAAwko\\nIQUkoQY.exe"	nIQUkoQY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sCQsQssk.exe = "C:\\ProgramData\\iIoQcAsM\\sCQsQssk.exe"	sCQsQssk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sCQsQssk.exe = "C:\\ProgramData\\iIoQcAsM\\sCQsQssk.exe"	xEwoIQwk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nIQUkoQY.exe = "C:\\Users\\Admin\\pKcAAwko\\nIQUkoQY.exe"	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sCQsQssk.exe = "C:\\ProgramData\\iIoQcAsM\\sCQsQssk.exe"	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\pKcAAwko	xEwoIQwk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\pKcAAwko\nIQUkoQY	xEwoIQwk.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	nIQUkoQY.exe
File opened for modification	C:\Windows\SysWOW64\sheSearchUninstall.zip	nIQUkoQY.exe
File opened for modification	C:\Windows\SysWOW64\sheWriteRename.rar	nIQUkoQY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2232	reg.exe
3132	reg.exe
3912	reg.exe
2760	reg.exe
1668	reg.exe
4320	reg.exe
4680	reg.exe
2152	reg.exe
3096	reg.exe
3132	reg.exe
396	reg.exe
4384	reg.exe
1976	reg.exe
1976	reg.exe
1416	reg.exe
2080	reg.exe
3732	reg.exe
900	reg.exe
3748	Process not Found
1172	reg.exe
3104	reg.exe
3668	reg.exe
1920	reg.exe
4368	reg.exe
3456	reg.exe
3504	reg.exe
3096	reg.exe
1176	reg.exe
2548	reg.exe
1368	reg.exe
1480	reg.exe
2204	Process not Found
4644	reg.exe
4464	reg.exe
4792	reg.exe
4700	reg.exe
4800	reg.exe
4404	reg.exe
3084	reg.exe
4340	reg.exe
740	Process not Found
4416	Process not Found
4936	reg.exe
1096	reg.exe
2160	reg.exe
1584	reg.exe
1368	reg.exe
1980	reg.exe
3060	reg.exe
4936	reg.exe
5008	reg.exe
440	reg.exe
4712	reg.exe
3880	reg.exe
3236	reg.exe
4800	reg.exe
5020	reg.exe
4976	Process not Found
1708	reg.exe
4456	reg.exe
732	reg.exe
2068	reg.exe
1856	Process not Found
1752	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4796	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
4796	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
4796	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
4796	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
368	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
368	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
368	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
368	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
4644	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
4644	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
4644	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
4644	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
4092	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
4092	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
4092	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
4092	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
920	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
920	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
920	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
920	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
3900	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
3900	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
3900	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
3900	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
1856	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
1856	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
1856	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
1856	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
1708	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
1708	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
1708	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
1708	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
3896	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
3896	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
3896	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
3896	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
1836	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
1836	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
1836	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
1836	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
2232	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
2232	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
2232	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
2232	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
4576	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
4576	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
4576	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
4576	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
2100	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
2100	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
2100	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
2100	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
2288	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
2288	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
2288	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
2288	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
2036	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
2036	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
2036	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
2036	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
2520	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
2520	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
2520	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
2520	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2440	nIQUkoQY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe
2440	nIQUkoQY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 2440	4796	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	82
PID 4796 wrote to memory of 2440	4796	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	82
PID 4796 wrote to memory of 2440	4796	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	82
PID 4796 wrote to memory of 2396	4796	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	83
PID 4796 wrote to memory of 2396	4796	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	83
PID 4796 wrote to memory of 2396	4796	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	83
PID 4796 wrote to memory of 1904	4796	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	85
PID 4796 wrote to memory of 1904	4796	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	85
PID 4796 wrote to memory of 1904	4796	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	85
PID 4796 wrote to memory of 4712	4796	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	87
PID 4796 wrote to memory of 4712	4796	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	87
PID 4796 wrote to memory of 4712	4796	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	87
PID 4796 wrote to memory of 1356	4796	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	88
PID 4796 wrote to memory of 1356	4796	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	88
PID 4796 wrote to memory of 1356	4796	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	88
PID 1904 wrote to memory of 368	1904	cmd.exe	89
PID 1904 wrote to memory of 368	1904	cmd.exe	89
PID 1904 wrote to memory of 368	1904	cmd.exe	89
PID 4796 wrote to memory of 5068	4796	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	90
PID 4796 wrote to memory of 5068	4796	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	90
PID 4796 wrote to memory of 5068	4796	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	90
PID 368 wrote to memory of 3732	368	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	94
PID 368 wrote to memory of 3732	368	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	94
PID 368 wrote to memory of 3732	368	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	94
PID 3732 wrote to memory of 4644	3732	cmd.exe	96
PID 3732 wrote to memory of 4644	3732	cmd.exe	96
PID 3732 wrote to memory of 4644	3732	cmd.exe	96
PID 368 wrote to memory of 1172	368	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	97
PID 368 wrote to memory of 1172	368	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	97
PID 368 wrote to memory of 1172	368	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	97
PID 368 wrote to memory of 1272	368	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	98
PID 368 wrote to memory of 1272	368	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	98
PID 368 wrote to memory of 1272	368	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	98
PID 368 wrote to memory of 2616	368	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	99
PID 368 wrote to memory of 2616	368	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	99
PID 368 wrote to memory of 2616	368	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	99
PID 368 wrote to memory of 5056	368	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	102
PID 368 wrote to memory of 5056	368	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	102
PID 368 wrote to memory of 5056	368	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	102
PID 4644 wrote to memory of 2448	4644	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	106
PID 4644 wrote to memory of 2448	4644	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	106
PID 4644 wrote to memory of 2448	4644	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	106
PID 4644 wrote to memory of 3504	4644	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	107
PID 4644 wrote to memory of 3504	4644	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	107
PID 4644 wrote to memory of 3504	4644	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	107
PID 2448 wrote to memory of 4092	2448	cmd.exe	108
PID 2448 wrote to memory of 4092	2448	cmd.exe	108
PID 2448 wrote to memory of 4092	2448	cmd.exe	108
PID 4644 wrote to memory of 4108	4644	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	109
PID 4644 wrote to memory of 4108	4644	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	109
PID 4644 wrote to memory of 4108	4644	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	109
PID 4644 wrote to memory of 4260	4644	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	110
PID 4644 wrote to memory of 4260	4644	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	110
PID 4644 wrote to memory of 4260	4644	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	110
PID 4644 wrote to memory of 3464	4644	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	113
PID 4644 wrote to memory of 3464	4644	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	113
PID 4644 wrote to memory of 3464	4644	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	113
PID 4092 wrote to memory of 3336	4092	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	116
PID 4092 wrote to memory of 3336	4092	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	116
PID 4092 wrote to memory of 3336	4092	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	116
PID 3336 wrote to memory of 920	3336	cmd.exe	118
PID 3336 wrote to memory of 920	3336	cmd.exe	118
PID 3336 wrote to memory of 920	3336	cmd.exe	118
PID 4092 wrote to memory of 4476	4092	c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe	119

C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
"C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\pKcAAwko\nIQUkoQY.exe
  "C:\Users\Admin\pKcAAwko\nIQUkoQY.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2440
- C:\ProgramData\iIoQcAsM\sCQsQssk.exe
  "C:\ProgramData\iIoQcAsM\sCQsQssk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
    C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3732
    - - C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4644
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        10⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        12⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        14⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        16⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        18⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        20⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        22⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        24⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        26⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        28⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        30⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        32⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        33⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        34⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        35⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        36⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        37⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        38⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        39⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        40⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        41⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        42⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        43⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        44⤵
        
        PID:540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        45⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        46⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        47⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        48⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        49⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        50⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        51⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        52⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        53⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        54⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        55⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        56⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        57⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        58⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        59⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        60⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        61⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        62⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        63⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        64⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        65⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        66⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        67⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        68⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        69⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        70⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        71⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        72⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        73⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        74⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        75⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        76⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        77⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        78⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        79⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        80⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        81⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        82⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        83⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        84⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        85⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        86⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        87⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        88⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        89⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        90⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        91⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        92⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        93⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        94⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        95⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        96⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        97⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        98⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        99⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        100⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        101⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        102⤵
        
        PID:360
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        103⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        104⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        105⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        106⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        107⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        108⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        109⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        110⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        111⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        112⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        113⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        114⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        115⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        116⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        117⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        118⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        119⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        120⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        121⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        122⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        123⤵
        
        PID:476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        124⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        125⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        126⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        127⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        128⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        129⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        130⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        131⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        132⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        133⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        134⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        135⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        136⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        137⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        138⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        139⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        140⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        141⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        142⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        143⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        144⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        145⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        146⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        147⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        148⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        149⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        150⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        151⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        152⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        153⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        154⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        155⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        156⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        157⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        158⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        159⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        160⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        161⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        162⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        163⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        164⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        165⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        166⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        167⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        168⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        169⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        170⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        171⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        172⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        173⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        174⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        175⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        176⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        177⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        178⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        179⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        180⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        181⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        182⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        183⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        184⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        185⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        186⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        187⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        188⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        189⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        190⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        191⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        192⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        193⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        194⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        195⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        196⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        197⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        198⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        199⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        200⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        201⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        202⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        203⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        204⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        205⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        206⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        207⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        208⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        209⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        210⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        211⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        212⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        213⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        214⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        215⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        216⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        217⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        218⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        219⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        220⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        221⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        222⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        223⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        224⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        225⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        226⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        227⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        228⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        229⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        230⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        231⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        232⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        233⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        234⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        235⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        236⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        237⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        238⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        239⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        240⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        241⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        242⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        243⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        244⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        245⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        246⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        247⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        248⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        249⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        250⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        251⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        252⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        253⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        254⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        255⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        256⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        257⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        258⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        259⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        260⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        261⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        262⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        263⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        264⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        265⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        266⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        267⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        268⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        269⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        270⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        271⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        272⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        273⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        274⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        275⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        276⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        277⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        278⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        279⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        280⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        281⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        282⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        283⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        284⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        285⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        286⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        287⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        288⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        289⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        290⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe
        
        C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598
        291⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598"
        292⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        292⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqIAcMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        292⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        292⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CyggoEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        290⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        291⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        290⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        290⤵
        Modifies registry key
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        290⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        288⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        288⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        288⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMwcwMIM.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        288⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        289⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eywYwkcI.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        286⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        287⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        286⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        286⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        286⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        284⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\soIAcAAg.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        284⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        285⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        284⤵
        UAC bypass
        Modifies registry key
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        284⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        282⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        282⤵
        Modifies visibility of file extensions in Explorer
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        282⤵
        UAC bypass
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COQIQwcY.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        282⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        283⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        280⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        280⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        280⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HsoQMckI.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        280⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        281⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PKUIgkQc.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        278⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        279⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        278⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        278⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        278⤵
        Modifies visibility of file extensions in Explorer
        
        PID:204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSQQIAIk.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        276⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        277⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        276⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        276⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        276⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCMQccoI.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        274⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        275⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        274⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        274⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        274⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DmsIYMsw.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        272⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        273⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        272⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        272⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        272⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IaEMUAgU.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        270⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        271⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        270⤵
        UAC bypass
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        270⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSUcYcYI.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        268⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        269⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUgowcsE.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        266⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        267⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ausIcYcg.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        264⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        Modifies registry key
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        Modifies registry key
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icEkUYkA.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        262⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        UAC bypass
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JosUEwYA.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        260⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        UAC bypass
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jSMAAsIc.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        258⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWEYIccQ.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        256⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        Modifies registry key
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        Modifies registry key
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgsgooAU.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        254⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsQcsQUs.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        252⤵
        
        PID:476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        UAC bypass
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkIIwUkU.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        250⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uQkwQIkQ.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        248⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HawAwwYo.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        246⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        Modifies registry key
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dogwowMI.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        244⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VcYAQMsk.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        242⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reAIcAkg.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        240⤵
        
        PID:360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        Modifies registry key
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCEwkkgQ.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        238⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NoIcMMQo.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        236⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqUkksIY.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        234⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSggskos.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        232⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HmcgIsMw.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        230⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgMkIooQ.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        228⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYIgQcoY.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        226⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgYAYgcc.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        224⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQsUwkMo.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        222⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        Modifies registry key
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        Modifies registry key
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        Modifies registry key
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKAwIwkE.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        220⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwcAkIMM.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        218⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icUQUEMw.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        216⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEkMcQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        214⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AoIoYEgU.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        212⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        Modifies registry key
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUgocoso.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        210⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        Modifies registry key
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCEscUIY.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        208⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XsIkMwgI.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        206⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYEoQoEg.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        204⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSUYEYEE.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        202⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIEgAsAA.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        200⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyQMYQUU.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        198⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        Modifies registry key
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IakscIkw.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        196⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IeowQQMM.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        194⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies registry key
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMEcUQgM.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        192⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgIgQQgg.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        190⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        Modifies registry key
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies registry key
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FuQQwcgI.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        188⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LmgIwgoE.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        186⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tsQIgYoo.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        184⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCcMoQYw.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        182⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        Modifies registry key
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUYIgkUw.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        180⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMQgQgAQ.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        178⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCUoYQkU.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        176⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAMsgoUw.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        174⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        Modifies registry key
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEEcgcgA.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        172⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LekoAkgY.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        170⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\neEwYMkU.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        168⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hoQEwogo.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        166⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqQEgQgM.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        164⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uMIEoscg.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        162⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWQkAQUs.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        160⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWoUUkEU.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        158⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUwcYcEU.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        156⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        Modifies registry key
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NoEQQQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        154⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQUAgAQg.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        152⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        Modifies registry key
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        Modifies registry key
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcUcEAEo.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        150⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        Modifies registry key
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQswwEsQ.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        148⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWswcsUk.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        146⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CKwQAAIM.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        144⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        Modifies registry key
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies registry key
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUEkcIkw.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        142⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqEYQccQ.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        140⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FiAwQUsI.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        138⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xCosMYMI.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        136⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEswIIok.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        134⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmMwYQoc.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        132⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YooAIIEw.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        130⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWogQowg.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        128⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMIQcksk.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        126⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGMgYogA.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        124⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmIccwkY.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        122⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMgkQIIA.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        120⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOEEUYwI.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        118⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMQokwoA.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        116⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies registry key
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueMYMUcc.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        114⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmwYgAck.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        112⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies registry key
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmAkwUYI.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        110⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQgwIAYM.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        108⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\peEcgMMk.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        106⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RygQAsUA.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        104⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies registry key
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMUIMoQg.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        102⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQUocMsg.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        100⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ciIwQgok.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        98⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies registry key
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YwsocwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        96⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies registry key
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQogYogQ.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        94⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NScYkMAw.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        92⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkgQwEso.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        90⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HykEUIUU.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        88⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lysQEwoI.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        86⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZygUkkcw.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        84⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEIMcoMw.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        82⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies registry key
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEUwgAEE.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        80⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kuEMMwwk.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        78⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WsgIIUQo.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        76⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        Modifies registry key
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwUMgwkg.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        74⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKAwcUQo.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        72⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmcgcwko.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        70⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RasMkMko.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        68⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYokMwcI.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        66⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKEoEMsk.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        64⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAUcEIgo.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        62⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMEkAckw.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        60⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\busAMkAg.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        58⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noQYgAco.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        56⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jSEEQIsg.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        54⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwkkEogQ.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        52⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yucEskYk.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        50⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOQwocwM.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        48⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nscckcYo.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        46⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqwMMgoA.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        44⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies registry key
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McQEccoY.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        42⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XkAkocUQ.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        40⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgMEgkgw.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        38⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOwEYUAg.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        36⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIQUUMss.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        34⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        Modifies registry key
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GiIscscs.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        32⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGokcQEw.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        30⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fiUYkMsY.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        28⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUQUocgo.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        26⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\liAIsEkk.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        24⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYQgEAIE.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        22⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZoggcwsI.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        20⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xiEMUcYE.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        18⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAsMIEUs.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        16⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies registry key
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQIMEEsU.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        14⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIkoksMw.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        12⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\acYgEIsA.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        10⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VacEEAAs.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        8⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4656
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3504
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4108
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:4260
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TasIscwY.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
        6⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4024
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:1172
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1272
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rsccMAcY.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
      4⤵
      PID:5056
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1924
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4712
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1356
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iaQAgEsg.bat" "C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598.exe""
  2⤵
  PID:3644
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1352

C:\ProgramData\AEMwkIco\xEwoIQwk.exe
C:\ProgramData\AEMwkIco\xEwoIQwk.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AEMwkIco\xEwoIQwk.exe

Filesize
475KB

MD5
60056de4df1378b660243e15d92e51c4

SHA1
dcf048d66be552819246430ab17847c0b2d2abe6

SHA256
e7e70eee48741a53155a1a6dabb16d2436c601cf10d19fc7c9a14b95cebd82a1

SHA512
31863567b475069ea8749ca6f6d6f19f27e31c2f209cada449ca87eb3d52fdbe21ed1c0b406dc64d4029a4de1eb305b2178717855217aadcf0e1a081f643fa19

Download Submit
C:\ProgramData\AEMwkIco\xEwoIQwk.exe

Filesize
475KB

MD5
60056de4df1378b660243e15d92e51c4

SHA1
dcf048d66be552819246430ab17847c0b2d2abe6

SHA256
e7e70eee48741a53155a1a6dabb16d2436c601cf10d19fc7c9a14b95cebd82a1

SHA512
31863567b475069ea8749ca6f6d6f19f27e31c2f209cada449ca87eb3d52fdbe21ed1c0b406dc64d4029a4de1eb305b2178717855217aadcf0e1a081f643fa19

Download Submit
C:\ProgramData\iIoQcAsM\sCQsQssk.exe

Filesize
482KB

MD5
491ef8d7e3111ac148d8a16b71c00272

SHA1
0bfb791f8d0360b3c56ec94f6a063f4ba87361fa

SHA256
817b7a32ff17df07d2db278d98ea4bd1eea00244210ed671ffb3230eb7e8d602

SHA512
3ffcc4bc561a282d305c4b7b67d62848ccb9fa83b169c11c25254183113c2c3c8080cf44832c40c288c45fee10c4b81ba4ce95a4d12331b4791c1d19c606a4ad

Download Submit
C:\ProgramData\iIoQcAsM\sCQsQssk.exe

Filesize
482KB

MD5
491ef8d7e3111ac148d8a16b71c00272

SHA1
0bfb791f8d0360b3c56ec94f6a063f4ba87361fa

SHA256
817b7a32ff17df07d2db278d98ea4bd1eea00244210ed671ffb3230eb7e8d602

SHA512
3ffcc4bc561a282d305c4b7b67d62848ccb9fa83b169c11c25254183113c2c3c8080cf44832c40c288c45fee10c4b81ba4ce95a4d12331b4791c1d19c606a4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQIMEEsU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GiIscscs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\McQEccoY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NOwEYUAg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIQUUMss.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TasIscwY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VacEEAAs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkAkocUQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAsMIEUs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZUQUocgo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZoggcwsI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\acYgEIsA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\bGokcQEw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598

Filesize
6KB

MD5
9a73063ea181f944f88c3e2ed083f8af

SHA1
f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25

SHA256
dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec

SHA512
a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598

Filesize
6KB

MD5
9a73063ea181f944f88c3e2ed083f8af

SHA1
f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25

SHA256
dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec

SHA512
a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598

Filesize
6KB

MD5
9a73063ea181f944f88c3e2ed083f8af

SHA1
f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25

SHA256
dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec

SHA512
a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598

Filesize
6KB

MD5
9a73063ea181f944f88c3e2ed083f8af

SHA1
f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25

SHA256
dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec

SHA512
a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598

Filesize
6KB

MD5
9a73063ea181f944f88c3e2ed083f8af

SHA1
f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25

SHA256
dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec

SHA512
a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598

Filesize
6KB

MD5
9a73063ea181f944f88c3e2ed083f8af

SHA1
f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25

SHA256
dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec

SHA512
a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598

Filesize
6KB

MD5
9a73063ea181f944f88c3e2ed083f8af

SHA1
f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25

SHA256
dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec

SHA512
a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598

Filesize
6KB

MD5
9a73063ea181f944f88c3e2ed083f8af

SHA1
f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25

SHA256
dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec

SHA512
a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598

Filesize
6KB

MD5
9a73063ea181f944f88c3e2ed083f8af

SHA1
f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25

SHA256
dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec

SHA512
a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598

Filesize
6KB

MD5
9a73063ea181f944f88c3e2ed083f8af

SHA1
f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25

SHA256
dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec

SHA512
a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598

Filesize
6KB

MD5
9a73063ea181f944f88c3e2ed083f8af

SHA1
f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25

SHA256
dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec

SHA512
a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598

Filesize
6KB

MD5
9a73063ea181f944f88c3e2ed083f8af

SHA1
f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25

SHA256
dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec

SHA512
a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598

Filesize
6KB

MD5
9a73063ea181f944f88c3e2ed083f8af

SHA1
f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25

SHA256
dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec

SHA512
a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598

Filesize
6KB

MD5
9a73063ea181f944f88c3e2ed083f8af

SHA1
f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25

SHA256
dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec

SHA512
a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598

Filesize
6KB

MD5
9a73063ea181f944f88c3e2ed083f8af

SHA1
f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25

SHA256
dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec

SHA512
a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598

Filesize
6KB

MD5
9a73063ea181f944f88c3e2ed083f8af

SHA1
f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25

SHA256
dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec

SHA512
a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598

Filesize
6KB

MD5
9a73063ea181f944f88c3e2ed083f8af

SHA1
f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25

SHA256
dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec

SHA512
a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598

Filesize
6KB

MD5
9a73063ea181f944f88c3e2ed083f8af

SHA1
f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25

SHA256
dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec

SHA512
a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598

Filesize
6KB

MD5
9a73063ea181f944f88c3e2ed083f8af

SHA1
f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25

SHA256
dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec

SHA512
a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7a114e54e2ce52679d4939e9157cded41182dbe9f4972202e4aee52704ac598

Filesize
6KB

MD5
9a73063ea181f944f88c3e2ed083f8af

SHA1
f71c5a8667a65c8c0652f4ae7a4c6b57d6e89d25

SHA256
dc9657a1a14d27171f4d1653a7ff404b5c77db4824a374c44492fe2dcf12bdec

SHA512
a52276031ee722b6d1a6435ff2e8d833beafca5aec23bb7856ca8a8e177f3c5093fcceacd1cfc120c92191533e2e9abc8cbafba1d583707774c039ac3127678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fiUYkMsY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgMEgkgw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\liAIsEkk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYQgEAIE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsccMAcY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIkoksMw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xiEMUcYE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\pKcAAwko\nIQUkoQY.exe

Filesize
483KB

MD5
9911cff42a2db8b0a340c738d8ca933f

SHA1
25e8be93ed3ecf22bf33f7beb929e803cec9f931

SHA256
b08aaef6ae4a5aad3316a12bb970ac0fdb1edce9ece68f40d6a02685576b69cc

SHA512
ab300d751bf5c40917bca0c996a6038387026e0cd156850fd34351b8bf50cb1de5a054504f759c99916bc6a82436713bc10af99b6de5f34445fcb86f677305a1

Download Submit
C:\Users\Admin\pKcAAwko\nIQUkoQY.exe

Filesize
483KB

MD5
9911cff42a2db8b0a340c738d8ca933f

SHA1
25e8be93ed3ecf22bf33f7beb929e803cec9f931

SHA256
b08aaef6ae4a5aad3316a12bb970ac0fdb1edce9ece68f40d6a02685576b69cc

SHA512
ab300d751bf5c40917bca0c996a6038387026e0cd156850fd34351b8bf50cb1de5a054504f759c99916bc6a82436713bc10af99b6de5f34445fcb86f677305a1

Download Submit
memory/368-156-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/676-281-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/856-304-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/856-305-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/920-174-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/920-181-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1080-316-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1368-311-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1368-295-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1708-222-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1836-239-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1836-242-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1856-209-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1856-200-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-299-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2036-263-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2036-267-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2100-274-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2100-254-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2100-258-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2100-277-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2116-155-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2232-249-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2232-245-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2288-262-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2296-302-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2296-303-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2396-244-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2396-142-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2440-243-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2440-141-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2520-271-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2756-317-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2876-283-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2876-286-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2920-314-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2920-313-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3008-312-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3116-306-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3896-223-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3896-230-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3900-195-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3912-318-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3924-310-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3980-298-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4024-320-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4024-319-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4092-173-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4236-301-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4236-300-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4300-288-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4300-290-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4340-309-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4576-253-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4644-165-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4644-157-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4712-307-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4712-308-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4796-238-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4796-138-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5064-315-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5064-322-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5064-323-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5100-321-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download