cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68

Analysis

max time kernel
157s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
Size

446KB
MD5

15547793bc34de9ae3615c96997e9cd0
SHA1

ea8e0dcd4b1424771daafdcc0c064077dac16c7c
SHA256

cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
SHA512

4de7677a6585ebd5366c5e34551afccaa0ce772ce20b80d43b2e61933318f64da1d5ed22c56745e6f0461e23081145fba998fa49111bc1e88874eaa78dcbb491
SSDEEP

6144:r3+eQg1erKxsoBZWKBPjKg+N9yIq8iBpr+/ZcmMTFjz3ZfOWCoYE+kNDzNBdPZl+:rOeQ8eOxPZvBO/lq4ZxASjeDzNBd7zW

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2412	PKkgQoEs.exe
1224	JCUIYcUk.exe
1644	QgQYUAww.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	PKkgQoEs.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PKkgQoEs.exe = "C:\\Users\\Admin\\eUUUwcUI\\PKkgQoEs.exe"	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JCUIYcUk.exe = "C:\\ProgramData\\rUAQcwIQ\\JCUIYcUk.exe"	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PKkgQoEs.exe = "C:\\Users\\Admin\\eUUUwcUI\\PKkgQoEs.exe"	PKkgQoEs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JCUIYcUk.exe = "C:\\ProgramData\\rUAQcwIQ\\JCUIYcUk.exe"	JCUIYcUk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JCUIYcUk.exe = "C:\\ProgramData\\rUAQcwIQ\\JCUIYcUk.exe"	QgQYUAww.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\eUUUwcUI\PKkgQoEs	QgQYUAww.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	PKkgQoEs.exe
File opened for modification	C:\Windows\SysWOW64\sheImportPublish.jpg	PKkgQoEs.exe
File opened for modification	C:\Windows\SysWOW64\sheRegisterLimit.pdf	PKkgQoEs.exe
File opened for modification	C:\Windows\SysWOW64\sheUseDismount.rar	PKkgQoEs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\eUUUwcUI	QgQYUAww.exe
File opened for modification	C:\Windows\SysWOW64\sheDisableConvertFrom.mp3	PKkgQoEs.exe
File opened for modification	C:\Windows\SysWOW64\sheGroupConnect.zip	PKkgQoEs.exe
File opened for modification	C:\Windows\SysWOW64\sheReceiveSplit.png	PKkgQoEs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3724	reg.exe
3408	reg.exe
4632	reg.exe
1068	reg.exe
2748	reg.exe
3368	reg.exe
4932	reg.exe
1084	reg.exe
2532	reg.exe
3556	reg.exe
536	reg.exe
1484	reg.exe
1804	reg.exe
1860	reg.exe
3932	reg.exe
4148	reg.exe
3520	reg.exe
3500	reg.exe
1516	reg.exe
5072	reg.exe
456	reg.exe
1784	reg.exe
2532	reg.exe
4584	reg.exe
2760	reg.exe
4132	reg.exe
2852	reg.exe
1392	reg.exe
3696	reg.exe
1660	reg.exe
1932	reg.exe
2344	reg.exe
4424	reg.exe
2448	reg.exe
4216	reg.exe
2060	reg.exe
3780	reg.exe
64	reg.exe
4492	reg.exe
5104	reg.exe
2712	reg.exe
2088	reg.exe
3768	reg.exe
4292	reg.exe
2288	reg.exe
3724	reg.exe
4624	reg.exe
1348	reg.exe
4132	reg.exe
4224	reg.exe
4216	reg.exe
2604	reg.exe
4104	reg.exe
3116	reg.exe
952	reg.exe
4040	reg.exe
3500	reg.exe
1516	reg.exe
1356	reg.exe
2020	reg.exe
4800	reg.exe
2604	reg.exe
3648	reg.exe
4724	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5024	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
5024	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
5024	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
5024	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
2564	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
2564	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
2564	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
2564	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
2648	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
2648	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
2648	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
2648	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
2548	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
2548	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
2548	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
2548	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
1840	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
1840	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
1840	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
1840	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
1256	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
1256	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
1256	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
1256	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
5000	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
5000	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
5000	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
5000	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
4492	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
4492	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
4492	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
4492	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
3396	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
3396	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
3396	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
3396	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
4552	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
4552	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
4552	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
4552	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
4936	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
4936	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
4936	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
4936	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
3636	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
3636	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
3636	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
3636	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
2404	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
2404	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
2404	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
2404	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
1712	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
1712	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
1712	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
1712	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
1084	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
1084	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
1084	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
1084	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
3896	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
3896	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
3896	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
3896	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe
2412	PKkgQoEs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 2412	5024	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	83
PID 5024 wrote to memory of 2412	5024	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	83
PID 5024 wrote to memory of 2412	5024	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	83
PID 5024 wrote to memory of 1224	5024	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	84
PID 5024 wrote to memory of 1224	5024	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	84
PID 5024 wrote to memory of 1224	5024	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	84
PID 5024 wrote to memory of 4232	5024	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	86
PID 5024 wrote to memory of 4232	5024	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	86
PID 5024 wrote to memory of 4232	5024	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	86
PID 4232 wrote to memory of 2564	4232	cmd.exe	88
PID 4232 wrote to memory of 2564	4232	cmd.exe	88
PID 4232 wrote to memory of 2564	4232	cmd.exe	88
PID 5024 wrote to memory of 320	5024	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	89
PID 5024 wrote to memory of 320	5024	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	89
PID 5024 wrote to memory of 320	5024	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	89
PID 5024 wrote to memory of 216	5024	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	90
PID 5024 wrote to memory of 216	5024	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	90
PID 5024 wrote to memory of 216	5024	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	90
PID 5024 wrote to memory of 2140	5024	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	92
PID 5024 wrote to memory of 2140	5024	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	92
PID 5024 wrote to memory of 2140	5024	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	92
PID 2564 wrote to memory of 1852	2564	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	95
PID 2564 wrote to memory of 1852	2564	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	95
PID 2564 wrote to memory of 1852	2564	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	95
PID 1852 wrote to memory of 2648	1852	cmd.exe	97
PID 1852 wrote to memory of 2648	1852	cmd.exe	97
PID 1852 wrote to memory of 2648	1852	cmd.exe	97
PID 2564 wrote to memory of 1020	2564	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	98
PID 2564 wrote to memory of 1020	2564	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	98
PID 2564 wrote to memory of 1020	2564	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	98
PID 2564 wrote to memory of 2288	2564	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	99
PID 2564 wrote to memory of 2288	2564	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	99
PID 2564 wrote to memory of 2288	2564	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	99
PID 2564 wrote to memory of 4380	2564	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	100
PID 2564 wrote to memory of 4380	2564	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	100
PID 2564 wrote to memory of 4380	2564	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	100
PID 2564 wrote to memory of 4212	2564	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	103
PID 2564 wrote to memory of 4212	2564	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	103
PID 2564 wrote to memory of 4212	2564	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	103
PID 2648 wrote to memory of 2376	2648	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	106
PID 2648 wrote to memory of 2376	2648	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	106
PID 2648 wrote to memory of 2376	2648	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	106
PID 2648 wrote to memory of 4536	2648	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	108
PID 2648 wrote to memory of 4536	2648	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	108
PID 2648 wrote to memory of 4536	2648	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	108
PID 2648 wrote to memory of 3672	2648	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	110
PID 2648 wrote to memory of 3672	2648	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	110
PID 2648 wrote to memory of 3672	2648	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	110
PID 2648 wrote to memory of 3640	2648	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	111
PID 2648 wrote to memory of 3640	2648	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	111
PID 2648 wrote to memory of 3640	2648	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	111
PID 2648 wrote to memory of 4220	2648	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	114
PID 2648 wrote to memory of 4220	2648	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	114
PID 2648 wrote to memory of 4220	2648	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	114
PID 2376 wrote to memory of 2548	2376	cmd.exe	116
PID 2376 wrote to memory of 2548	2376	cmd.exe	116
PID 2376 wrote to memory of 2548	2376	cmd.exe	116
PID 2548 wrote to memory of 2532	2548	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	117
PID 2548 wrote to memory of 2532	2548	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	117
PID 2548 wrote to memory of 2532	2548	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	117
PID 2548 wrote to memory of 4864	2548	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	119
PID 2548 wrote to memory of 4864	2548	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	119
PID 2548 wrote to memory of 4864	2548	cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe	119
PID 2532 wrote to memory of 1840	2532	cmd.exe	120

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
"C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Users\Admin\eUUUwcUI\PKkgQoEs.exe
  "C:\Users\Admin\eUUUwcUI\PKkgQoEs.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of FindShellTrayWindow
  PID:2412
- C:\ProgramData\rUAQcwIQ\JCUIYcUk.exe
  "C:\ProgramData\rUAQcwIQ\JCUIYcUk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
    C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2648
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        10⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        12⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        14⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        16⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        18⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        20⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        22⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        24⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        26⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        28⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        30⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        32⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        33⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        34⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        35⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        36⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        37⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        38⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        39⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        40⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        41⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        42⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        43⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        44⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        45⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        46⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        47⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        48⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        49⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        50⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        51⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        52⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        53⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        54⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        55⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        56⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        57⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        58⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        59⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        60⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        61⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        62⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        63⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        64⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        65⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        66⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        67⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        68⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        69⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        70⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        71⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        72⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        73⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        74⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        75⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        76⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        77⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        78⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        79⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        80⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        81⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        82⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        83⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        84⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        85⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        86⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        87⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        88⤵
        
        PID:4312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        89⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        90⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        91⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        92⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        93⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        94⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        95⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        96⤵
        
        PID:3852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        97⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        98⤵
        
        PID:4152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        99⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        100⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        101⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        102⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        103⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        104⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        105⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        106⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        107⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        108⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        109⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        110⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        111⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        112⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        113⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        114⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        115⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        116⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        117⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        118⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        119⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        120⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        121⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        122⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        123⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        124⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        125⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        126⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        127⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        128⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        129⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        130⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        131⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        132⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        133⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        134⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        135⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        136⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        137⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        138⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        139⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        140⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        141⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        142⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        143⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        144⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        145⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        146⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        147⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        148⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        149⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        150⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        151⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        152⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        153⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        154⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        155⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        156⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        157⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        158⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        159⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        160⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        161⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        162⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        163⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        164⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        165⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        166⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        167⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        168⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        169⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        170⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        171⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        172⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        173⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        174⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        175⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        176⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        177⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        178⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        179⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        180⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        181⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        182⤵
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        183⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        184⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        185⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        186⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        187⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        188⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        189⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        190⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        191⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        192⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        193⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        194⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        195⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        196⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        197⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        198⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        199⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        200⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        201⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        202⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        203⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        204⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        205⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        206⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        207⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        208⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        209⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        210⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        211⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        212⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        213⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        214⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        215⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        216⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        217⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        218⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        219⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        220⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        221⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        222⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        223⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        224⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        225⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        226⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        227⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        228⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        229⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        230⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        231⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        232⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        233⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        234⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        235⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        236⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        237⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        238⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        239⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        240⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        241⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        242⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        243⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        244⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        245⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        246⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        247⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        248⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        249⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        250⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        251⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        252⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        253⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        254⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        255⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        256⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        257⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        258⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        259⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        260⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        261⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        262⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        263⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        264⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        265⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        266⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        267⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        268⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        269⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        270⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        271⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        272⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        273⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        274⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        275⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        276⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        277⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        278⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        279⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        280⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        281⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        282⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        283⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        284⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        285⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        286⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        287⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        288⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        289⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68"
        290⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68
        291⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        290⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        290⤵
        UAC bypass
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqAIEQYw.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        288⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        289⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        288⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        288⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        288⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        286⤵
        Modifies registry key
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OokkgAMY.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        286⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        287⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        286⤵
        Modifies registry key
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        286⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ziEQAEEk.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        284⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        285⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        284⤵
        Modifies registry key
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        284⤵
        Modifies registry key
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        284⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        282⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uEEkYAUM.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        282⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        283⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        282⤵
        UAC bypass
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        282⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOMEIIoU.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        280⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        281⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        280⤵
        UAC bypass
        Modifies registry key
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        280⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        280⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASoYEAYc.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        278⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        279⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        278⤵
        UAC bypass
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        278⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        278⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUIIgwkQ.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        276⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        277⤵
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        276⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        276⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        276⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQcwMMUs.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        274⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        275⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        274⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        274⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        274⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckggMUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        272⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        273⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        272⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        272⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        272⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UucoYoAI.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        270⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        271⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        270⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        270⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        UAC bypass
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCUAUIsI.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        268⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        269⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiIIQocQ.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        266⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        267⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWMckgMA.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        264⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOEokUMM.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        262⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        UAC bypass
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUIUMYAA.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        260⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        UAC bypass
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DGYAMkUc.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        258⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rcEcwAgY.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        256⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYQIgcoY.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        254⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        UAC bypass
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeIUwIIY.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        252⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        Modifies registry key
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gisMcUQA.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        250⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eowogQMw.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        248⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        Modifies registry key
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dKIkEcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        246⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        Modifies registry key
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYMUokcM.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        244⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWYEwgcY.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        242⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tqEgowQQ.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        240⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        Modifies registry key
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        Modifies registry key
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIkwEEsg.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        238⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcIcEoAI.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        236⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ziUAUcoI.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        234⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        Modifies registry key
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWcgoQQA.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        232⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VcIgEEwg.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        230⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        Modifies registry key
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMkosIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        228⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIkYgQoA.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        226⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        Modifies registry key
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKQwsQcg.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        224⤵
        
        PID:260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeAccIAI.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        222⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwEgcEcI.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        220⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PScUoUwo.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        218⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMkkYEsk.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        216⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VygEIYcA.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        214⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies registry key
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\raEYIkcs.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        212⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIUAEsYw.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        210⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMAUcMAc.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        208⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        Modifies registry key
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        Modifies registry key
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqIsIwwY.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        206⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suMYkUcE.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        204⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYEgEkYM.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        202⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auIwoAUY.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        200⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies registry key
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UoEQUkcU.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        198⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GqcgsQgc.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        196⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsEkokwE.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        194⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vIcoogAU.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        192⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        Modifies registry key
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SuAcoIYw.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        190⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIsYYkAI.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        188⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YoMgwAYs.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        186⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        Modifies registry key
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGUQQwMo.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        184⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies registry key
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkccYcsU.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        182⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYssQIok.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        180⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        Modifies registry key
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goAUwYYQ.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        178⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies registry key
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MaIEMQso.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        176⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcccAYUo.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        174⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\siYMEAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        172⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pagEsgYk.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        170⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIAccMIk.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        168⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        Modifies registry key
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vokIIcos.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        166⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YoMwwcgQ.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        164⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMQswUsc.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        162⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies registry key
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies registry key
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OgUQEwcE.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        160⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        Modifies registry key
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMEAsIAc.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        158⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEYoUgUE.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        156⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        Modifies registry key
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqcUIQYk.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        154⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        Modifies registry key
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMckkYEw.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        152⤵
        
        PID:364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSUYMEUg.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        150⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puIUQEog.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        148⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mikcwcME.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        146⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKcMsoII.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        144⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsIoYoEw.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        142⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AeIAkswc.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        140⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fGokoUME.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        138⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaUMYkAo.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        136⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:32
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWAMUUIs.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        134⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oIIUEYIQ.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        132⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqAkkEAo.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        130⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MakMYAwM.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        128⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ekgoMQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        126⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGoQsgoQ.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        124⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwkQUAYY.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        122⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmMIwIkM.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        120⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKcAQMYs.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        118⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQwgEwcM.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        116⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IeMMoYcU.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        114⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fckoYEIM.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        112⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyYkYYsE.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        110⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies registry key
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsoYcQIo.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        108⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        Modifies registry key
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LaUAgEoM.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        106⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        Modifies registry key
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUIoAkIE.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        104⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RisYcwUY.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        102⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies registry key
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAooQkAk.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        100⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqwYAgww.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        98⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkkUMoIs.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        96⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        Modifies registry key
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VisAUsME.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        94⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKcgkcgk.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        92⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:4388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaAUQQQc.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        90⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSIEAIIE.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        88⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        Modifies registry key
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZQQwscAg.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        86⤵
        
        PID:1428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSMQoAQY.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        84⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DoMgoUcQ.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        82⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DscsQgQY.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        80⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IgAYYoUY.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        78⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEMksgAU.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        76⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOIwcssE.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        74⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        Modifies registry key
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIgYscAQ.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        72⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScIYgwEc.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        70⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEQMMAEo.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        68⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMEAgoks.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        66⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCkgogIA.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        64⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEccIYkI.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        62⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CSMAcAoU.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        60⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qAoEkYQQ.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        58⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        Modifies registry key
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkUAAMEs.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        56⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSkIAAcw.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        54⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        Modifies registry key
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYYoEUIo.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        52⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcsUAMsI.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        50⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\woMcoMoU.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        48⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeEowcIA.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        46⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKwcwAIY.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        44⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUwcAYcI.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        42⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:32
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOgogoMo.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        40⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies registry key
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKYMUwQw.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        38⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEwssoEw.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        36⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GakIkgYM.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        34⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lqIUIAos.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        32⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgYYAogg.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        30⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGYcEkQA.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        28⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nyskoAMA.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        26⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUscMUkM.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        24⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies registry key
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSkIkEwU.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        22⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYEYcsoQ.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        20⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOoIwUUE.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        18⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ekEooMMY.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        16⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BsQAMcwg.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        14⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        Modifies registry key
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IGAYYkUE.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        12⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEcQMkQI.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        10⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySkYsgwo.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        8⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4552
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:4536
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3672
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:3640
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iwAsEoko.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
        6⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3424
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1020
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:4380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmwUooAI.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
      4⤵
      PID:4212
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3624
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:320
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:216
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEMAUQMw.bat" "C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68.exe""
  2⤵
  PID:4020
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3516

C:\ProgramData\zawwIokA\QgQYUAww.exe
C:\ProgramData\zawwIokA\QgQYUAww.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\rUAQcwIQ\JCUIYcUk.exe

Filesize
429KB

MD5
ea3a7b57fcf74fd32c0efb55b56e08f3

SHA1
e9a4b390d61549393c915fee350f407bb0d97a76

SHA256
ecb11dc2b33f0f7609d9e0f3975169e65bbe035e57e5c1c7886271ba499b25dc

SHA512
433d4326e26bbeea8dc274b809d54e92ae954da90e9f988851a9b0c476f163be9d9af11ed995d9a71365b1c024a9ccd339894dad15666a731e046cad70c64baf

Download Submit
C:\ProgramData\rUAQcwIQ\JCUIYcUk.exe

Filesize
429KB

MD5
ea3a7b57fcf74fd32c0efb55b56e08f3

SHA1
e9a4b390d61549393c915fee350f407bb0d97a76

SHA256
ecb11dc2b33f0f7609d9e0f3975169e65bbe035e57e5c1c7886271ba499b25dc

SHA512
433d4326e26bbeea8dc274b809d54e92ae954da90e9f988851a9b0c476f163be9d9af11ed995d9a71365b1c024a9ccd339894dad15666a731e046cad70c64baf

Download Submit
C:\ProgramData\zawwIokA\QgQYUAww.exe

Filesize
434KB

MD5
ca816cab5539f63031af5673116c84cf

SHA1
22768d2632a2e5290a3ca99fd825839a9281d331

SHA256
c1dac8ce71631c5d096c3d699f38ce5b4272d57d0b686dacf36b63b50af1ee6e

SHA512
11b72bce5923f697e44c9a96e555509e3c51bf01553545b3ec15656b0dbaf95b20e539e057b2f106432b64875ef31ce53981507c239ccef9dbc478c0390733dc

Download Submit
C:\ProgramData\zawwIokA\QgQYUAww.exe

Filesize
434KB

MD5
ca816cab5539f63031af5673116c84cf

SHA1
22768d2632a2e5290a3ca99fd825839a9281d331

SHA256
c1dac8ce71631c5d096c3d699f38ce5b4272d57d0b686dacf36b63b50af1ee6e

SHA512
11b72bce5923f697e44c9a96e555509e3c51bf01553545b3ec15656b0dbaf95b20e539e057b2f106432b64875ef31ce53981507c239ccef9dbc478c0390733dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\BsQAMcwg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GakIkgYM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IGAYYkUE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MmwUooAI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PGYcEkQA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEcQMkQI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgYYAogg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOoIwUUE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUwcAYcI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cKYMUwQw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc5c0affeac86067994bfd1d5cac6a6e784d02797ae8ed27602c2d1ea3428a68

Filesize
6KB

MD5
f2139758e1ca788944e3d676ffdf569d

SHA1
ac4ba97181837b96227c14b9b7dacee876688f14

SHA256
e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d

SHA512
4e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dSkIkEwU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekEooMMY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\fUscMUkM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYEYcsoQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwAsEoko.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lqIUIAos.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mOgogoMo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nyskoAMA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEwssoEw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ySkYsgwo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\eUUUwcUI\PKkgQoEs.exe

Filesize
432KB

MD5
f79be680e03f18bf0874d6b54d060e2c

SHA1
32ade44a6b6c9470eda04f65417b3d40239a7ad3

SHA256
84f987a8406353849d54f2c0387a45d232535331fb4f78aea0d665b6c0b3eb30

SHA512
54735e7b4c75c11dc7cdd47310f5b86af0e22aaf3044f1c2e9c5e67a83f4c2ec47c8cc65576fc7d0204b0c3ac6c35eafd072d5820137c0e2129f7130bf0d2726

Download Submit
C:\Users\Admin\eUUUwcUI\PKkgQoEs.exe

Filesize
432KB

MD5
f79be680e03f18bf0874d6b54d060e2c

SHA1
32ade44a6b6c9470eda04f65417b3d40239a7ad3

SHA256
84f987a8406353849d54f2c0387a45d232535331fb4f78aea0d665b6c0b3eb30

SHA512
54735e7b4c75c11dc7cdd47310f5b86af0e22aaf3044f1c2e9c5e67a83f4c2ec47c8cc65576fc7d0204b0c3ac6c35eafd072d5820137c0e2129f7130bf0d2726

Download Submit
memory/216-146-0x0000000000000000-mapping.dmp

Download
memory/320-145-0x0000000000000000-mapping.dmp

Download
memory/380-183-0x0000000000000000-mapping.dmp

Download
memory/456-176-0x0000000000000000-mapping.dmp

Download
memory/816-319-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/956-175-0x0000000000000000-mapping.dmp

Download
memory/1020-151-0x0000000000000000-mapping.dmp

Download
memory/1072-301-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1084-191-0x0000000000000000-mapping.dmp

Download
memory/1084-266-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1224-140-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1224-244-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1224-136-0x0000000000000000-mapping.dmp

Download
memory/1256-177-0x0000000000000000-mapping.dmp

Download
memory/1256-195-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1428-241-0x0000000000000000-mapping.dmp

Download
memory/1468-315-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1588-180-0x0000000000000000-mapping.dmp

Download
memory/1644-161-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1712-260-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1712-262-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1784-192-0x0000000000000000-mapping.dmp

Download
memory/1804-203-0x0000000000000000-mapping.dmp

Download
memory/1828-298-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1840-181-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1840-172-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1840-168-0x0000000000000000-mapping.dmp

Download
memory/1844-198-0x0000000000000000-mapping.dmp

Download
memory/1852-149-0x0000000000000000-mapping.dmp

Download
memory/2088-189-0x0000000000000000-mapping.dmp

Download
memory/2140-147-0x0000000000000000-mapping.dmp

Download
memory/2192-170-0x0000000000000000-mapping.dmp

Download
memory/2220-280-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2220-278-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2288-152-0x0000000000000000-mapping.dmp

Download
memory/2320-296-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2376-156-0x0000000000000000-mapping.dmp

Download
memory/2404-309-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2404-257-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2412-139-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2412-243-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2412-133-0x0000000000000000-mapping.dmp

Download
memory/2532-275-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2532-166-0x0000000000000000-mapping.dmp

Download
memory/2548-164-0x0000000000000000-mapping.dmp

Download
memory/2548-173-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2564-144-0x0000000000000000-mapping.dmp

Download
memory/2564-162-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2600-316-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2604-295-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2648-163-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2648-150-0x0000000000000000-mapping.dmp

Download
memory/2648-220-0x0000000000000000-mapping.dmp

Download
memory/2660-171-0x0000000000000000-mapping.dmp

Download
memory/3092-232-0x0000000000000000-mapping.dmp

Download
memory/3100-300-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3120-231-0x0000000000000000-mapping.dmp

Download
memory/3212-312-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3228-320-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3228-321-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3344-178-0x0000000000000000-mapping.dmp

Download
memory/3396-235-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3396-223-0x0000000000000000-mapping.dmp

Download
memory/3420-210-0x0000000000000000-mapping.dmp

Download
memory/3424-209-0x0000000000000000-mapping.dmp

Download
memory/3428-217-0x0000000000000000-mapping.dmp

Download
memory/3468-227-0x0000000000000000-mapping.dmp

Download
memory/3624-212-0x0000000000000000-mapping.dmp

Download
memory/3636-253-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3636-311-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3636-251-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3636-310-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3640-159-0x0000000000000000-mapping.dmp

Download
memory/3656-219-0x0000000000000000-mapping.dmp

Download
memory/3660-204-0x0000000000000000-mapping.dmp

Download
memory/3672-158-0x0000000000000000-mapping.dmp

Download
memory/3692-318-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3692-317-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3704-205-0x0000000000000000-mapping.dmp

Download
memory/3896-271-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3896-270-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4056-308-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4056-307-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4060-238-0x0000000000000000-mapping.dmp

Download
memory/4124-304-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4124-303-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4128-305-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4212-154-0x0000000000000000-mapping.dmp

Download
memory/4220-160-0x0000000000000000-mapping.dmp

Download
memory/4232-143-0x0000000000000000-mapping.dmp

Download
memory/4292-201-0x0000000000000000-mapping.dmp

Download
memory/4308-218-0x0000000000000000-mapping.dmp

Download
memory/4344-299-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4356-214-0x0000000000000000-mapping.dmp

Download
memory/4360-302-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4380-153-0x0000000000000000-mapping.dmp

Download
memory/4400-297-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4428-306-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4492-216-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4492-222-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4492-202-0x0000000000000000-mapping.dmp

Download
memory/4536-211-0x0000000000000000-mapping.dmp

Download
memory/4536-157-0x0000000000000000-mapping.dmp

Download
memory/4552-169-0x0000000000000000-mapping.dmp

Download
memory/4552-236-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4552-242-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4552-230-0x0000000000000000-mapping.dmp

Download
memory/4584-179-0x0000000000000000-mapping.dmp

Download
memory/4684-233-0x0000000000000000-mapping.dmp

Download
memory/4732-213-0x0000000000000000-mapping.dmp

Download
memory/4740-193-0x0000000000000000-mapping.dmp

Download
memory/4836-286-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4864-167-0x0000000000000000-mapping.dmp

Download
memory/4904-234-0x0000000000000000-mapping.dmp

Download
memory/4936-248-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4948-229-0x0000000000000000-mapping.dmp

Download
memory/5000-206-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5000-194-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5000-184-0x0000000000000000-mapping.dmp

Download
memory/5024-132-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5024-224-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5056-292-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5056-322-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5076-221-0x0000000000000000-mapping.dmp

Download
memory/5076-323-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5104-313-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5104-314-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5104-284-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download