af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Analysis

max time kernel
150s
max time network
113s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
Size

439KB
MD5

13927a54ef0ad71d600f3554ac427630
SHA1

4bff92d984441a869fdd2e44571213e9f87a2d68
SHA256

af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
SHA512

05716d368f8179577afee6318078fc20179b04fcf84ab6f7ed41bd15228bd86becd070c55a70ef95f0d7e547c4ae57c718e5392853269ba1d1f747daeaf6dd6f
SSDEEP

12288:IhcUghLaFX9TupxkPAwtpbA6lJbaiamBWyYcuzzbUMcgnkqY:IGUmIXdupxrwtpbAgJD5rPUkL

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 4 IoCs

pid	Process
2012	QqYkgIIE.exe
1976	WosQAsYM.exe
1100	oqkQYsAk.exe
1668	XeUUMwkk.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\International\Geo\Nation	WosQAsYM.exe

Loads dropped DLL 29 IoCs

pid	Process
1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
2012	QqYkgIIE.exe
2012	QqYkgIIE.exe
2012	QqYkgIIE.exe
2012	QqYkgIIE.exe
2012	QqYkgIIE.exe
2012	QqYkgIIE.exe
2012	QqYkgIIE.exe
2012	QqYkgIIE.exe
2012	QqYkgIIE.exe
2012	QqYkgIIE.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
812	WerFault.exe
812	WerFault.exe
812	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\QqYkgIIE.exe = "C:\\Users\\Admin\\aYQYEUks\\QqYkgIIE.exe"	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WosQAsYM.exe = "C:\\ProgramData\\SaEMkEUg\\WosQAsYM.exe"	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\QqYkgIIE.exe = "C:\\Users\\Admin\\aYQYEUks\\QqYkgIIE.exe"	QqYkgIIE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WosQAsYM.exe = "C:\\ProgramData\\SaEMkEUg\\WosQAsYM.exe"	WosQAsYM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WosQAsYM.exe = "C:\\ProgramData\\SaEMkEUg\\WosQAsYM.exe"	oqkQYsAk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\FwAcEYUA.exe = "C:\\Users\\Admin\\cmAcccgc\\FwAcEYUA.exe"	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nyAAYEkM.exe = "C:\\ProgramData\\VgAUAQUY\\nyAAYEkM.exe"	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\aYQYEUks\QqYkgIIE	oqkQYsAk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\aYQYEUks	oqkQYsAk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1700	1708	WerFault.exe	451
892	1252	WerFault.exe	453
1448	1504	WerFault.exe	455
812	1668	WerFault.exe	1212

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2024	reg.exe
1840	reg.exe
932	reg.exe
884	reg.exe
1308	reg.exe
1504	reg.exe
1844	reg.exe
1984	reg.exe
1636	reg.exe
620	reg.exe
1632	reg.exe
880	reg.exe
912	reg.exe
1556	reg.exe
912	reg.exe
1716	reg.exe
1672	reg.exe
1504	reg.exe
892	reg.exe
840	reg.exe
1932	reg.exe
1920	reg.exe
1620	reg.exe
644	reg.exe
884	reg.exe
936	reg.exe
1592	reg.exe
1796	reg.exe
936	reg.exe
888	reg.exe
1504	reg.exe
668	reg.exe
1908	reg.exe
1068	reg.exe
1908	reg.exe
1016	reg.exe
668	reg.exe
1456	reg.exe
1592	reg.exe
1628	reg.exe
672	reg.exe
1676	reg.exe
284	reg.exe
1016	reg.exe
1556	reg.exe
912	reg.exe
1332	reg.exe
1016	reg.exe
1920	reg.exe
1392	reg.exe
668	reg.exe
840	reg.exe
556	reg.exe
1676	reg.exe
316	reg.exe
1112	reg.exe
1364	reg.exe
912	reg.exe
1576	reg.exe
1504	reg.exe
1352	reg.exe
668	reg.exe
812	reg.exe
892	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1664	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1664	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1668	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1668	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
812	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
812	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1396	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1396	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1716	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1716	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1352	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1352	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1676	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1676	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1340	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1340	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1040	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1040	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1332	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1332	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
556	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
556	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1636	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1636	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1056	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1056	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
836	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
836	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1628	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1628	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
884	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
884	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
852	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
852	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
812	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
812	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1916	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1916	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1332	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1332	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1684	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1684	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1600	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1600	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1352	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1352	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1524	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1524	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1396	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1396	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1776	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1776	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1324	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1324	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1584	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1584	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
540	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
540	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
308	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
308	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1840	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1840	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe
1976	WosQAsYM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2012	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	28
PID 1724 wrote to memory of 2012	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	28
PID 1724 wrote to memory of 2012	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	28
PID 1724 wrote to memory of 2012	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	28
PID 1724 wrote to memory of 1976	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	29
PID 1724 wrote to memory of 1976	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	29
PID 1724 wrote to memory of 1976	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	29
PID 1724 wrote to memory of 1976	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	29
PID 1724 wrote to memory of 1532	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	31
PID 1724 wrote to memory of 1532	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	31
PID 1724 wrote to memory of 1532	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	31
PID 1724 wrote to memory of 1532	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	31
PID 1532 wrote to memory of 1664	1532	cmd.exe	33
PID 1532 wrote to memory of 1664	1532	cmd.exe	33
PID 1532 wrote to memory of 1664	1532	cmd.exe	33
PID 1532 wrote to memory of 1664	1532	cmd.exe	33
PID 1724 wrote to memory of 888	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	34
PID 1724 wrote to memory of 888	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	34
PID 1724 wrote to memory of 888	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	34
PID 1724 wrote to memory of 888	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	34
PID 1724 wrote to memory of 300	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	36
PID 1724 wrote to memory of 300	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	36
PID 1724 wrote to memory of 300	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	36
PID 1724 wrote to memory of 300	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	36
PID 1724 wrote to memory of 1016	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	37
PID 1724 wrote to memory of 1016	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	37
PID 1724 wrote to memory of 1016	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	37
PID 1724 wrote to memory of 1016	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	37
PID 1664 wrote to memory of 1520	1664	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	40
PID 1664 wrote to memory of 1520	1664	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	40
PID 1664 wrote to memory of 1520	1664	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	40
PID 1664 wrote to memory of 1520	1664	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	40
PID 1520 wrote to memory of 1668	1520	cmd.exe	42
PID 1520 wrote to memory of 1668	1520	cmd.exe	42
PID 1520 wrote to memory of 1668	1520	cmd.exe	42
PID 1520 wrote to memory of 1668	1520	cmd.exe	42
PID 1664 wrote to memory of 1776	1664	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	43
PID 1664 wrote to memory of 1776	1664	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	43
PID 1664 wrote to memory of 1776	1664	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	43
PID 1664 wrote to memory of 1776	1664	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	43
PID 1668 wrote to memory of 912	1668	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	44
PID 1668 wrote to memory of 912	1668	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	44
PID 1668 wrote to memory of 912	1668	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	44
PID 1668 wrote to memory of 912	1668	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	44
PID 1664 wrote to memory of 316	1664	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	47
PID 1664 wrote to memory of 316	1664	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	47
PID 1664 wrote to memory of 316	1664	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	47
PID 1664 wrote to memory of 316	1664	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	47
PID 1664 wrote to memory of 1392	1664	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	45
PID 1664 wrote to memory of 1392	1664	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	45
PID 1664 wrote to memory of 1392	1664	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	45
PID 1664 wrote to memory of 1392	1664	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	45
PID 912 wrote to memory of 812	912	cmd.exe	52
PID 912 wrote to memory of 812	912	cmd.exe	52
PID 912 wrote to memory of 812	912	cmd.exe	52
PID 912 wrote to memory of 812	912	cmd.exe	52
PID 1664 wrote to memory of 1892	1664	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	51
PID 1664 wrote to memory of 1892	1664	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	51
PID 1664 wrote to memory of 1892	1664	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	51
PID 1664 wrote to memory of 1892	1664	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	51
PID 1724 wrote to memory of 2024	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	55
PID 1724 wrote to memory of 2024	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	55
PID 1724 wrote to memory of 2024	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	55
PID 1724 wrote to memory of 2024	1724	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	55

C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
"C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\aYQYEUks\QqYkgIIE.exe
  "C:\Users\Admin\aYQYEUks\QqYkgIIE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  PID:2012
- C:\ProgramData\SaEMkEUg\WosQAsYM.exe
  "C:\ProgramData\SaEMkEUg\WosQAsYM.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
    C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1668
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        8⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        10⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        12⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        14⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        16⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        18⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        20⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        22⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        24⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        26⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        28⤵
        
        PID:296
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        30⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        32⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        34⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        36⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        38⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        40⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        42⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        44⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        46⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        48⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        50⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        52⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        54⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        56⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        58⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        60⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        62⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        64⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        65⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        66⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        67⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        68⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        69⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        70⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        71⤵
        Adds Run key to start application
        
        PID:1456
        
        C:\Users\Admin\cmAcccgc\FwAcEYUA.exe
        
        "C:\Users\Admin\cmAcccgc\FwAcEYUA.exe"
        72⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 116
        73⤵
        Program crash
        
        PID:1700
        
        C:\ProgramData\VgAUAQUY\nyAAYEkM.exe
        
        "C:\ProgramData\VgAUAQUY\nyAAYEkM.exe"
        72⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 88
        73⤵
        Program crash
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        72⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        73⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        74⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        75⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        76⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        77⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        78⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        79⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        80⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        81⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        82⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        83⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        84⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        85⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        86⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        87⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        88⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        89⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        90⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        91⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        92⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        93⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        94⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        95⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        96⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        97⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        98⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        99⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        100⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        101⤵
        
        PID:308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        102⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        103⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        104⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        105⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        106⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        107⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        108⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        109⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        110⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        111⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        112⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        113⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        114⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        115⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        116⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        117⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        118⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        119⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        120⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        121⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        122⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        123⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        124⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        125⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        126⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        127⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        128⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        129⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        130⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        131⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        132⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        133⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        134⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        135⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        136⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        137⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        138⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        139⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        140⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        141⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        142⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        143⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        144⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        145⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        146⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        147⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        148⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        149⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        150⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        151⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        152⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        153⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        154⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        155⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        156⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        157⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        158⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        159⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        160⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        161⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        162⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        163⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        164⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        165⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        166⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        167⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        168⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        169⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        170⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        171⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        172⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        173⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        174⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        175⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        176⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        177⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        178⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        179⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        180⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        181⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        182⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        183⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        184⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        185⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        186⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        187⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        188⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        189⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        190⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        191⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        192⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        193⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        194⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        195⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        196⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        197⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        198⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        199⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bGswgokM.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        198⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies registry key
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ISwQgksg.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        196⤵
        
        PID:284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        Modifies registry key
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AQQEIgYA.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        194⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies registry key
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vwoEAwIs.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        192⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zyQYYMEw.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        190⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\smkAUMQk.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        188⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        Modifies registry key
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vkAIQUUI.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        186⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aWgoEkkg.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        184⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ioIkYwos.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        182⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ROUYkYAo.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        180⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        Modifies registry key
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies registry key
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SSAooYkY.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        178⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HEEcEwEk.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        176⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QsAkEsIU.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        174⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nAUYEMYw.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        172⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        Modifies registry key
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bMYQYwAc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        170⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies registry key
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VWMoYsQU.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        168⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        Modifies registry key
        
        PID:284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zeUkgIQE.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        166⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        Modifies registry key
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VyEQEIsQ.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        164⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eaogwcYI.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        162⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        Modifies registry key
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BmcYcMsg.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        160⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        Modifies registry key
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jYgYwAco.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        158⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fyEMsMwo.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        156⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        Modifies registry key
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cqYcwcAs.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        154⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cEoUwkko.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        152⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        Modifies registry key
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KCIkQEEY.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        150⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WsosMocI.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        148⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies registry key
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LqAskook.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        146⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gmkAgsQc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        144⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies registry key
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ksYkAsIA.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        142⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies registry key
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dusAIIUM.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        140⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        Modifies registry key
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PsggcgcU.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        138⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EcoIIEsk.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        136⤵
        
        PID:296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        Modifies registry key
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WoggcYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        134⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HcUkIYUs.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        132⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        Modifies registry key
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rMocEQwI.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        130⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OQcgscgE.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        128⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        Modifies registry key
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OOQkIEIU.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        126⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IiIYkYkA.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        124⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IsMcwIgE.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        122⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uiwEYQkc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        120⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IGYEgkwA.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        118⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fkcEcIwk.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        116⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rsYkksgY.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        114⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZccUsUwc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        112⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YooscAwc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        110⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ICEEwkUs.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        108⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies registry key
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eUEwIoYw.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        106⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ycoAUEUM.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        104⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies registry key
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        Modifies registry key
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BicYUIMQ.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        102⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NsIYcEQA.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        100⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IqYEwsIk.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        98⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WiAAIwQc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        96⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GiEowAIY.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        94⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IOEscUsY.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        92⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GeMosMko.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        90⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\COIoUwgE.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        88⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DmMUAMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        86⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eCEQgIco.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        84⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zUAoccoI.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        82⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        Modifies registry key
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AKgEIIAM.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        80⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gMAQgYgA.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        78⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        Modifies registry key
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BmgYQcgc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        76⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BcwwcQgk.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        74⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lykMcYgY.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        72⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GKMoAssk.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        70⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HCQEwwcg.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        68⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TWUkoQsg.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        66⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hscAwYYo.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        64⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies registry key
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kWQcwMwM.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        62⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies registry key
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dckYkIAM.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        60⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PusoYAMo.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        58⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        Modifies registry key
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oaoEcYsA.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        56⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zOQgcEQc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        54⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fGEogQwM.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        52⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FksIwsEA.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        50⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAYwAwc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        48⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LOsEkUQw.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        46⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UkAUAsQo.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        44⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iOAkAcAc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        42⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VOQUQAwU.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        40⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NqgkAYUg.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        38⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BGMcQQUU.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        36⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xMkAIQIg.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        34⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        Modifies registry key
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WUQgEwsU.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        32⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mCMQUYws.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        30⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EygUMUQw.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        28⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kcUcAkoc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        26⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DCwsMMAU.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        24⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vWQwQoEE.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        22⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OSoUkgwc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        20⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eoMAwswA.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        18⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wccYIEAc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        16⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TUoEYoIw.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        14⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zacMYIwY.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        12⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UecoIkQA.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        10⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xSgwkIkY.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        8⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1504
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:284
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1700
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1308
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZIwkogwQ.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        6⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1956
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1776
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1392
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:316
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\FMkMccMo.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
      4⤵
      PID:1892
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:932
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:888
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:300
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\JEcAgEsA.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
  2⤵
  PID:2024
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:564

C:\ProgramData\lWosQEIM\oqkQYsAk.exe
C:\ProgramData\lWosQEIM\oqkQYsAk.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1100

C:\ProgramData\hGooQEUY\XeUUMwkk.exe
C:\ProgramData\hGooQEUY\XeUUMwkk.exe
1⤵
PID:1504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 120
  2⤵
  - Program crash
  PID:1448

C:\ProgramData\hGooQEUY\XeUUMwkk.exe
C:\ProgramData\hGooQEUY\XeUUMwkk.exe
1⤵
- Executes dropped EXE
PID:1668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 120
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SaEMkEUg\WosQAsYM.exe

Filesize
432KB

MD5
5a0ce82c36da443ac563c7c5da64cdef

SHA1
9f8e250314b89b05aba781179d10c96de9757484

SHA256
4f1c45f5ff118622da0df11a49c71f57a3f0b67009e9f393c956570e2d48b518

SHA512
51578188bdee3c1813b0d2b2f882c8c1ffc2f9e0b71d1d3678e3a585db1b0e92d9d9ce81a219d74f22ef4a35cf0f275a1c0b304818fde514611d9232f912243f

Download Submit
C:\ProgramData\lWosQEIM\oqkQYsAk.exe

Filesize
431KB

MD5
8c21180219a86a12ecae37e9b194bafe

SHA1
398a8adb2e9fe09dfafc54afbf1f8f6355e35730

SHA256
b9032c4412e2c47ee983494014ffdc1a29ff6e8a6aa0e2c5a42d14e2114273ca

SHA512
03f4b296b6dd68ca49f5f2edffe1bee0a36e407c39f12b8d8ed9aecab9e71b779c0e48613e2570e0f3a228233ddafc52db9094fc3a1470a26f1eb1494f830308

Download Submit
C:\ProgramData\lWosQEIM\oqkQYsAk.exe

Filesize
431KB

MD5
8c21180219a86a12ecae37e9b194bafe

SHA1
398a8adb2e9fe09dfafc54afbf1f8f6355e35730

SHA256
b9032c4412e2c47ee983494014ffdc1a29ff6e8a6aa0e2c5a42d14e2114273ca

SHA512
03f4b296b6dd68ca49f5f2edffe1bee0a36e407c39f12b8d8ed9aecab9e71b779c0e48613e2570e0f3a228233ddafc52db9094fc3a1470a26f1eb1494f830308

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCwsMMAU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMkMccMo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JEcAgEsA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OSoUkgwc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUoEYoIw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UecoIkQA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZIwkogwQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoMAwswA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcUcAkoc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vWQwQoEE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wccYIEAc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xSgwkIkY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zacMYIwY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\aYQYEUks\QqYkgIIE.exe

Filesize
435KB

MD5
b12f8e0051ef5f878749a88276b17bcc

SHA1
cb8ab38158e3ee3a2a06795ea29561d839a00801

SHA256
024d9e81856d60abc56cd641149f372a8edae80602b676dc2e12f3bb3c262608

SHA512
2c596634fa8ce81e00531b9a2e0f4ea63b37f8059c4df8f3f8a5fde520f13efda8ef39197186d2db32d536a394de22652766a81147437f911bfcfe00ba50675c

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
445KB

MD5
1191ba2a9908ee79c0220221233e850a

SHA1
f2acd26b864b38821ba3637f8f701b8ba19c434f

SHA256
4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d

SHA512
da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

Download Submit
\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
445KB

MD5
1191ba2a9908ee79c0220221233e850a

SHA1
f2acd26b864b38821ba3637f8f701b8ba19c434f

SHA256
4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d

SHA512
da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

Download Submit
\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
633KB

MD5
a9993e4a107abf84e456b796c65a9899

SHA1
5852b1acacd33118bce4c46348ee6c5aa7ad12eb

SHA256
dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc

SHA512
d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

Download Submit
\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
633KB

MD5
a9993e4a107abf84e456b796c65a9899

SHA1
5852b1acacd33118bce4c46348ee6c5aa7ad12eb

SHA256
dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc

SHA512
d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

Download Submit
\ProgramData\SaEMkEUg\WosQAsYM.exe

Filesize
432KB

MD5
5a0ce82c36da443ac563c7c5da64cdef

SHA1
9f8e250314b89b05aba781179d10c96de9757484

SHA256
4f1c45f5ff118622da0df11a49c71f57a3f0b67009e9f393c956570e2d48b518

SHA512
51578188bdee3c1813b0d2b2f882c8c1ffc2f9e0b71d1d3678e3a585db1b0e92d9d9ce81a219d74f22ef4a35cf0f275a1c0b304818fde514611d9232f912243f

Download Submit
\ProgramData\SaEMkEUg\WosQAsYM.exe

Filesize
432KB

MD5
5a0ce82c36da443ac563c7c5da64cdef

SHA1
9f8e250314b89b05aba781179d10c96de9757484

SHA256
4f1c45f5ff118622da0df11a49c71f57a3f0b67009e9f393c956570e2d48b518

SHA512
51578188bdee3c1813b0d2b2f882c8c1ffc2f9e0b71d1d3678e3a585db1b0e92d9d9ce81a219d74f22ef4a35cf0f275a1c0b304818fde514611d9232f912243f

Download Submit
\Users\Admin\aYQYEUks\QqYkgIIE.exe

Filesize
435KB

MD5
b12f8e0051ef5f878749a88276b17bcc

SHA1
cb8ab38158e3ee3a2a06795ea29561d839a00801

SHA256
024d9e81856d60abc56cd641149f372a8edae80602b676dc2e12f3bb3c262608

SHA512
2c596634fa8ce81e00531b9a2e0f4ea63b37f8059c4df8f3f8a5fde520f13efda8ef39197186d2db32d536a394de22652766a81147437f911bfcfe00ba50675c

Download Submit
\Users\Admin\aYQYEUks\QqYkgIIE.exe

Filesize
435KB

MD5
b12f8e0051ef5f878749a88276b17bcc

SHA1
cb8ab38158e3ee3a2a06795ea29561d839a00801

SHA256
024d9e81856d60abc56cd641149f372a8edae80602b676dc2e12f3bb3c262608

SHA512
2c596634fa8ce81e00531b9a2e0f4ea63b37f8059c4df8f3f8a5fde520f13efda8ef39197186d2db32d536a394de22652766a81147437f911bfcfe00ba50675c

Download Submit
memory/284-102-0x0000000000000000-mapping.dmp

Download
memory/300-76-0x0000000000000000-mapping.dmp

Download
memory/308-303-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/308-306-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/316-86-0x0000000000000000-mapping.dmp

Download
memory/428-190-0x0000000000000000-mapping.dmp

Download
memory/540-132-0x0000000000000000-mapping.dmp

Download
memory/540-302-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/556-221-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/556-225-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/564-163-0x0000000000000000-mapping.dmp

Download
memory/564-98-0x0000000000000000-mapping.dmp

Download
memory/644-196-0x0000000000000000-mapping.dmp

Download
memory/668-167-0x0000000000000000-mapping.dmp

Download
memory/668-195-0x0000000000000000-mapping.dmp

Download
memory/672-118-0x0000000000000000-mapping.dmp

Download
memory/672-155-0x0000000000000000-mapping.dmp

Download
memory/812-152-0x0000000000000000-mapping.dmp

Download
memory/812-88-0x0000000000000000-mapping.dmp

Download
memory/812-116-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/812-260-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/812-122-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/812-261-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/836-243-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/836-242-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/852-256-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/852-182-0x0000000000000000-mapping.dmp

Download
memory/852-251-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/884-197-0x0000000000000000-mapping.dmp

Download
memory/884-252-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/884-253-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/888-75-0x0000000000000000-mapping.dmp

Download
memory/892-184-0x0000000000000000-mapping.dmp

Download
memory/892-156-0x0000000000000000-mapping.dmp

Download
memory/912-85-0x0000000000000000-mapping.dmp

Download
memory/932-95-0x0000000000000000-mapping.dmp

Download
memory/1016-77-0x0000000000000000-mapping.dmp

Download
memory/1040-209-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1040-191-0x0000000000000000-mapping.dmp

Download
memory/1040-206-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1056-238-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1056-231-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1100-73-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1128-128-0x0000000000000000-mapping.dmp

Download
memory/1144-153-0x0000000000000000-mapping.dmp

Download
memory/1144-185-0x0000000000000000-mapping.dmp

Download
memory/1244-173-0x0000000000000000-mapping.dmp

Download
memory/1248-198-0x0000000000000000-mapping.dmp

Download
memory/1308-131-0x0000000000000000-mapping.dmp

Download
memory/1308-104-0x0000000000000000-mapping.dmp

Download
memory/1324-295-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1332-268-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1332-217-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1332-205-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1332-269-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1340-199-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1340-180-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1340-178-0x0000000000000000-mapping.dmp

Download
memory/1352-148-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1352-171-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1352-280-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1352-275-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1352-141-0x0000000000000000-mapping.dmp

Download
memory/1364-135-0x0000000000000000-mapping.dmp

Download
memory/1368-157-0x0000000000000000-mapping.dmp

Download
memory/1392-170-0x0000000000000000-mapping.dmp

Download
memory/1392-87-0x0000000000000000-mapping.dmp

Download
memory/1396-113-0x0000000000000000-mapping.dmp

Download
memory/1396-115-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1396-283-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1396-288-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1396-136-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1396-188-0x0000000000000000-mapping.dmp

Download
memory/1456-138-0x0000000000000000-mapping.dmp

Download
memory/1504-124-0x0000000000000000-mapping.dmp

Download
memory/1520-79-0x0000000000000000-mapping.dmp

Download
memory/1524-284-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1524-285-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1532-70-0x0000000000000000-mapping.dmp

Download
memory/1532-121-0x0000000000000000-mapping.dmp

Download
memory/1584-296-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1584-299-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1592-140-0x0000000000000000-mapping.dmp

Download
memory/1600-276-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1600-277-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1624-133-0x0000000000000000-mapping.dmp

Download
memory/1628-241-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1628-246-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1636-232-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1664-74-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1664-71-0x0000000000000000-mapping.dmp

Download
memory/1664-90-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1664-117-0x0000000000000000-mapping.dmp

Download
memory/1668-80-0x0000000000000000-mapping.dmp

Download
memory/1668-106-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1668-83-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1676-186-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1676-181-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1676-159-0x0000000000000000-mapping.dmp

Download
memory/1684-267-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1684-272-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1700-103-0x0000000000000000-mapping.dmp

Download
memory/1716-149-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1716-158-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1716-129-0x0000000000000000-mapping.dmp

Download
memory/1724-94-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1724-54-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/1724-65-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1776-290-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1776-82-0x0000000000000000-mapping.dmp

Download
memory/1776-292-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1776-166-0x0000000000000000-mapping.dmp

Download
memory/1796-168-0x0000000000000000-mapping.dmp

Download
memory/1844-105-0x0000000000000000-mapping.dmp

Download
memory/1892-89-0x0000000000000000-mapping.dmp

Download
memory/1916-259-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1916-264-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1924-119-0x0000000000000000-mapping.dmp

Download
memory/1932-112-0x0000000000000000-mapping.dmp

Download
memory/1956-108-0x0000000000000000-mapping.dmp

Download
memory/1960-183-0x0000000000000000-mapping.dmp

Download
memory/1976-67-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1976-250-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1976-62-0x0000000000000000-mapping.dmp

Download
memory/2012-66-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2012-57-0x0000000000000000-mapping.dmp

Download
memory/2012-249-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2024-93-0x0000000000000000-mapping.dmp

Download
memory/2044-175-0x0000000000000000-mapping.dmp

Download