af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Analysis

max time kernel
163s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 09:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
Size

439KB
MD5

13927a54ef0ad71d600f3554ac427630
SHA1

4bff92d984441a869fdd2e44571213e9f87a2d68
SHA256

af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
SHA512

05716d368f8179577afee6318078fc20179b04fcf84ab6f7ed41bd15228bd86becd070c55a70ef95f0d7e547c4ae57c718e5392853269ba1d1f747daeaf6dd6f
SSDEEP

12288:IhcUghLaFX9TupxkPAwtpbA6lJbaiamBWyYcuzzbUMcgnkqY:IGUmIXdupxrwtpbAgJD5rPUkL

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
3500	BgUgIAwk.exe
216	dSskUwUc.exe
2608	qeUQMQIk.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	dSskUwUc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dSskUwUc.exe = "C:\\ProgramData\\VWgAIIMA\\dSskUwUc.exe"	qeUQMQIk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BgUgIAwk.exe = "C:\\Users\\Admin\\RsggQQME\\BgUgIAwk.exe"	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dSskUwUc.exe = "C:\\ProgramData\\VWgAIIMA\\dSskUwUc.exe"	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BgUgIAwk.exe = "C:\\Users\\Admin\\RsggQQME\\BgUgIAwk.exe"	BgUgIAwk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dSskUwUc.exe = "C:\\ProgramData\\VWgAIIMA\\dSskUwUc.exe"	dSskUwUc.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sheWatchGroup.jpg	dSskUwUc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\RsggQQME	qeUQMQIk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\RsggQQME\BgUgIAwk	qeUQMQIk.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	dSskUwUc.exe
File opened for modification	C:\Windows\SysWOW64\sheMeasureConvertFrom.zip	dSskUwUc.exe
File opened for modification	C:\Windows\SysWOW64\sheRevokeGet.xlsm	dSskUwUc.exe
File opened for modification	C:\Windows\SysWOW64\sheSplitProtect.jpg	dSskUwUc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4676	reg.exe
4392	reg.exe
2932	reg.exe
4028	reg.exe
4620	reg.exe
4792	reg.exe
2412	reg.exe
2904	reg.exe
3952	reg.exe
4212	reg.exe
4760	reg.exe
3772	reg.exe
3736	reg.exe
1620	reg.exe
5036	reg.exe
5084	reg.exe
2144	reg.exe
4196	reg.exe
4736	reg.exe
1156	reg.exe
4560	reg.exe
1908	reg.exe
1788	reg.exe
4736	reg.exe
764	reg.exe
1292	reg.exe
4928	reg.exe
1620	reg.exe
1180	reg.exe
2212	reg.exe
4500	reg.exe
4856	reg.exe
1384	reg.exe
3416	reg.exe
3612	reg.exe
4116	reg.exe
872	reg.exe
4056	reg.exe
3928	reg.exe
2084	reg.exe
3448	reg.exe
3808	reg.exe
432	reg.exe
1008	reg.exe
3496	reg.exe
2312	reg.exe
4668	reg.exe
764	reg.exe
4356	reg.exe
3948	reg.exe
2768	reg.exe
2464	reg.exe
4168	reg.exe
3224	reg.exe
3188	reg.exe
2648	reg.exe
4532	reg.exe
1816	reg.exe
2340	reg.exe
1552	reg.exe
3168	reg.exe
4156	reg.exe
4660	reg.exe
3952	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1180	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1180	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1180	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1180	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
3952	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
3952	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
3952	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
3952	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
484	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
484	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
484	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
484	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4928	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4928	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4928	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4928	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4668	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4668	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4668	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4668	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
552	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
552	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
552	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
552	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1900	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1900	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1900	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1900	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1240	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1240	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1240	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
1240	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4536	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4536	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4536	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4536	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
2148	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
2148	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
2148	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
2148	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4020	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4020	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4020	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4020	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4512	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4512	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4512	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4512	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
3080	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
3080	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
3080	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
3080	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4784	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4784	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4784	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4784	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4168	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4168	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4168	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
4168	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
2148	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
2148	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
2148	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
2148	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
216	dSskUwUc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe
216	dSskUwUc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 3500	1180	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	82
PID 1180 wrote to memory of 3500	1180	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	82
PID 1180 wrote to memory of 3500	1180	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	82
PID 1180 wrote to memory of 216	1180	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	83
PID 1180 wrote to memory of 216	1180	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	83
PID 1180 wrote to memory of 216	1180	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	83
PID 1180 wrote to memory of 3764	1180	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	85
PID 1180 wrote to memory of 3764	1180	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	85
PID 1180 wrote to memory of 3764	1180	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	85
PID 1180 wrote to memory of 4772	1180	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	87
PID 1180 wrote to memory of 4772	1180	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	87
PID 1180 wrote to memory of 4772	1180	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	87
PID 1180 wrote to memory of 5056	1180	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	88
PID 1180 wrote to memory of 5056	1180	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	88
PID 1180 wrote to memory of 5056	1180	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	88
PID 3764 wrote to memory of 3952	3764	cmd.exe	89
PID 3764 wrote to memory of 3952	3764	cmd.exe	89
PID 3764 wrote to memory of 3952	3764	cmd.exe	89
PID 1180 wrote to memory of 4192	1180	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	91
PID 1180 wrote to memory of 4192	1180	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	91
PID 1180 wrote to memory of 4192	1180	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	91
PID 3952 wrote to memory of 2104	3952	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	94
PID 3952 wrote to memory of 2104	3952	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	94
PID 3952 wrote to memory of 2104	3952	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	94
PID 2104 wrote to memory of 484	2104	cmd.exe	96
PID 2104 wrote to memory of 484	2104	cmd.exe	96
PID 2104 wrote to memory of 484	2104	cmd.exe	96
PID 3952 wrote to memory of 4512	3952	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	97
PID 3952 wrote to memory of 4512	3952	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	97
PID 3952 wrote to memory of 4512	3952	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	97
PID 3952 wrote to memory of 4220	3952	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	99
PID 3952 wrote to memory of 4220	3952	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	99
PID 3952 wrote to memory of 4220	3952	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	99
PID 3952 wrote to memory of 900	3952	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	103
PID 3952 wrote to memory of 900	3952	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	103
PID 3952 wrote to memory of 900	3952	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	103
PID 3952 wrote to memory of 4252	3952	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	102
PID 3952 wrote to memory of 4252	3952	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	102
PID 3952 wrote to memory of 4252	3952	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	102
PID 484 wrote to memory of 4460	484	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	105
PID 484 wrote to memory of 4460	484	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	105
PID 484 wrote to memory of 4460	484	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	105
PID 484 wrote to memory of 4284	484	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	107
PID 484 wrote to memory of 4284	484	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	107
PID 484 wrote to memory of 4284	484	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	107
PID 484 wrote to memory of 872	484	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	109
PID 484 wrote to memory of 872	484	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	109
PID 484 wrote to memory of 872	484	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	109
PID 484 wrote to memory of 1944	484	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	110
PID 484 wrote to memory of 1944	484	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	110
PID 484 wrote to memory of 1944	484	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	110
PID 484 wrote to memory of 4704	484	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	111
PID 484 wrote to memory of 4704	484	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	111
PID 484 wrote to memory of 4704	484	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	111
PID 4460 wrote to memory of 4928	4460	cmd.exe	115
PID 4460 wrote to memory of 4928	4460	cmd.exe	115
PID 4460 wrote to memory of 4928	4460	cmd.exe	115
PID 4704 wrote to memory of 1856	4704	cmd.exe	117
PID 4704 wrote to memory of 1856	4704	cmd.exe	117
PID 4704 wrote to memory of 1856	4704	cmd.exe	117
PID 4252 wrote to memory of 3468	4252	cmd.exe	116
PID 4252 wrote to memory of 3468	4252	cmd.exe	116
PID 4252 wrote to memory of 3468	4252	cmd.exe	116
PID 4928 wrote to memory of 1216	4928	af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe	118

C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
"C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Users\Admin\RsggQQME\BgUgIAwk.exe
  "C:\Users\Admin\RsggQQME\BgUgIAwk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3500
- C:\ProgramData\VWgAIIMA\dSskUwUc.exe
  "C:\ProgramData\VWgAIIMA\dSskUwUc.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
    C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2104
    - - C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:484
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        8⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        10⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        12⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        14⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        16⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        18⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        20⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        22⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        24⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        26⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        28⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        30⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        32⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        33⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        34⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        35⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        36⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        37⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        38⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        39⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        40⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        41⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        42⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        43⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        44⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        45⤵
        
        PID:176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        46⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        47⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        48⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        49⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        50⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        51⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        52⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        53⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        54⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        55⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        56⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        57⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        58⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        59⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        60⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        61⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        62⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        63⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        64⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        65⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        66⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        67⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        68⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        69⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        70⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        71⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        72⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        73⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        74⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        75⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        76⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        77⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        78⤵
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        79⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        80⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        81⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        82⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        83⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        84⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        85⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        86⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        87⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        88⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        89⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        90⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        91⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        92⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        93⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        94⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        95⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        96⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        97⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        98⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        99⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        100⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        101⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        102⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        103⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        104⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        105⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        106⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        107⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        108⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        109⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        110⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        111⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        112⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        113⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        114⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        115⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        116⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        117⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        118⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        119⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        120⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        121⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        122⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        123⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        124⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        125⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        126⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        127⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        128⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        129⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        130⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        131⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        132⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        133⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        134⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        135⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        136⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        137⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        138⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        139⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        140⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        141⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        142⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        143⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        144⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        145⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        146⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        147⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        148⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        149⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        150⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        151⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        152⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        153⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        154⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        155⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        156⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        157⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        158⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        159⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        160⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        161⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        162⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        163⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        164⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        165⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        166⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        167⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        168⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        169⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        170⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        171⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        172⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        173⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        174⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        175⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        176⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        177⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        178⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        179⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        180⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        181⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        182⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        183⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        184⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        185⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        186⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        187⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        188⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        189⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        190⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        191⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        192⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        193⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        194⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        195⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        196⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        197⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        198⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        199⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        200⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        201⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        202⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        203⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        204⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        205⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        206⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        207⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        208⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        209⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        210⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        211⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        212⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        213⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        214⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        215⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        216⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        217⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        218⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        219⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        220⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        221⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        222⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        223⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        224⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        225⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        226⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        227⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        228⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        229⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        230⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        231⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        232⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        233⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        234⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        235⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        236⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        237⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        238⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        239⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        240⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        241⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        242⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        243⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        244⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        245⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        246⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        247⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        248⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        249⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        250⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        251⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        252⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        253⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        254⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        255⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        256⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        257⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        258⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        259⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        260⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        261⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        262⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        263⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a"
        264⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe
        
        C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a
        265⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        Modifies visibility of file extensions in Explorer
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcogAksU.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        264⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        Modifies registry key
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAAUAksY.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        262⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        Modifies registry key
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LoowYIIc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        260⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOsYcMUY.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        258⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fCUYAwgs.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        256⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        UAC bypass
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEUQoogk.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        254⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEsEkoMs.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        252⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        UAC bypass
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        Modifies registry key
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        UAC bypass
        Modifies registry key
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouMskYsk.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        250⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        UAC bypass
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEswcUEw.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        248⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CsEowAcE.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        246⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQYUgUUs.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        244⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeMgsQsE.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        242⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        Modifies registry key
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCMsUUAg.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        240⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies registry key
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcsQAskw.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        238⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PkAMEAgE.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        236⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QkEQMwEM.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        234⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mgwYsIMY.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        232⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmggYUsw.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        230⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        Modifies registry key
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKsQgkIk.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        228⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQMcAQYY.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        226⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UacAAkQw.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        224⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        Modifies registry key
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGQQIwAA.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        222⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        Modifies registry key
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCkcUMwU.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        220⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngsQgEII.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        218⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        Modifies registry key
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmsMsEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        216⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies registry key
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gckIgwMQ.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        214⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGEsYggY.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        212⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QawgAYAo.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        210⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dycMcwMQ.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        208⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqwUYUgI.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        206⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies registry key
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuQQcsEc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        204⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        Modifies registry key
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies registry key
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSUEkkwY.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        202⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eoQowMoQ.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        200⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        Modifies registry key
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wcgkYkUk.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        198⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CgIkAcUY.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        196⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQkYwQkU.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        194⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        Modifies registry key
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bogUscso.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        192⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGkgwocw.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        190⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euccIQQs.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        188⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LaIEcsYo.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        186⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        Modifies registry key
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAMEwwsc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        184⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        Modifies registry key
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        Modifies registry key
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgowMAco.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        182⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiUIAMYY.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        180⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies registry key
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rioIkYoE.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        178⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GoYoIIQE.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        176⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgggAMMI.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        174⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies registry key
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIkAsQUI.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        172⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WuQMAMUk.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        170⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMwcYggQ.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        168⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSMcsAAs.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        166⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmMUkUUE.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        164⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jgsswsoo.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        162⤵
        
        PID:176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        Modifies registry key
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\koUIYosE.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        160⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        Modifies registry key
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOwgwsAg.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        158⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWgYoEIw.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        156⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYwcwEEY.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        154⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        Modifies registry key
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgEwQoMg.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        152⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaEYcAQc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        150⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYgAAksQ.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        148⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcgckQUQ.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        146⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        Modifies registry key
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGkgIEAc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        144⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mywwccIc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        142⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QocYQkAY.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        140⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkoQoMMU.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        138⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgQkokUk.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        136⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEcYkoQI.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        134⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ByQMgEAo.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        132⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAgIIwII.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        130⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqMwYUUM.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        128⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmgYgkIE.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        126⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        Modifies registry key
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        Modifies registry key
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cUIYwUsw.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        124⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buMEgkcc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        122⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCwsMEkg.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        120⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOskUMEs.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        118⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYwYIsUQ.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        116⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awsYwUok.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        114⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        Modifies registry key
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOgMQokc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        112⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:3280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VyYMMEws.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        110⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AgIMIUYE.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        108⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmMokIkk.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        106⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        Modifies registry key
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYMkUcQw.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        104⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEYkwEkM.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        102⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YuYYcgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        100⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQMoUAIU.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        98⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCwksgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        96⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SeIcQAgE.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        94⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nysEgcQo.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        92⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcYossYo.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        90⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TiAEYsoM.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        88⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faUUcMco.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        86⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwkgkwko.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        84⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dcYcYwko.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        82⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUkcUUIM.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        80⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vaEsoQYg.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        78⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEYosoAE.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        76⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        Modifies registry key
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCQUgIUE.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        74⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diMEMQYE.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        72⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCsQgUAU.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        70⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PiUccgwo.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        68⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IukYkgos.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        66⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sKAAUYgo.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        64⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQIQoMkE.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        62⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies registry key
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMYskgcw.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        60⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOkAYgEI.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        58⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwYkQQwo.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        56⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BoMIsEYs.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        54⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOsEAwoY.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        52⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mggwoskA.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        50⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        Modifies registry key
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOsYosMk.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        48⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUkYIQwE.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        46⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xWwoYkAc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        44⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWkUoQgA.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        42⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMMAUAAc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        40⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hccYMYIk.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        38⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIcwIEAw.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        36⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\socYEQkY.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        34⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qcAYQEwE.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        32⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        Modifies registry key
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwkskIMs.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        30⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msYIQwsg.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        28⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOccwAAg.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        26⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUgkkIks.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        24⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKwksksc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        22⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkQYQUgc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        20⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKIkoMME.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        18⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwogYoYs.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        16⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies registry key
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WugcMgIc.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        14⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies registry key
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZiwcEsss.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        12⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEIwQUIw.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        10⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        Modifies registry key
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgYAwAgg.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        8⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4060
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4284
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:872
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1944
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKAoYAsI.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1856
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4512
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCEkEkcQ.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4252
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3468
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:900
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4772
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5056
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SyIMkMEk.bat" "C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a.exe""
  2⤵
  PID:4684
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1240

C:\ProgramData\GyscAIEE\qeUQMQIk.exe
C:\ProgramData\GyscAIEE\qeUQMQIk.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GyscAIEE\qeUQMQIk.exe

Filesize
430KB

MD5
3f380e91b3c82a789ea58f8a6d7191a9

SHA1
5325deb1f18d0b4afb67a675181486c6ccbf6e1e

SHA256
bb86ad76dfe8d6d8892d5fc93783be758d9f6ce2f42ef4e831d190d8e8d27081

SHA512
6896377b26e83e2ebb3cc3fd72423d4e1e02b9e6f63f99d8afd1ac6098e06990f9496953b6b4fec0cbec2cea0da432d16d276e19992bbef610e5054b5c57a0dd

Download Submit
C:\ProgramData\GyscAIEE\qeUQMQIk.exe

Filesize
430KB

MD5
3f380e91b3c82a789ea58f8a6d7191a9

SHA1
5325deb1f18d0b4afb67a675181486c6ccbf6e1e

SHA256
bb86ad76dfe8d6d8892d5fc93783be758d9f6ce2f42ef4e831d190d8e8d27081

SHA512
6896377b26e83e2ebb3cc3fd72423d4e1e02b9e6f63f99d8afd1ac6098e06990f9496953b6b4fec0cbec2cea0da432d16d276e19992bbef610e5054b5c57a0dd

Download Submit
C:\ProgramData\VWgAIIMA\dSskUwUc.exe

Filesize
433KB

MD5
a74a9cf9dc1b2131e8655eb016c38664

SHA1
2f66b32dd5d35dbb0765608d9bce792446fd97d2

SHA256
555b64330fe5f07cf8346edf69b396a050d0ed4b14838000e3302aa180d62063

SHA512
789462bb50d7a4cbb0baea17401e6bc8353caba7c78727b9cd7c5df50cc856e630196204896e0f97d2c5d48fee5524dc8174bb272ad59ba799e8c41f1de73d00

Download Submit
C:\ProgramData\VWgAIIMA\dSskUwUc.exe

Filesize
433KB

MD5
a74a9cf9dc1b2131e8655eb016c38664

SHA1
2f66b32dd5d35dbb0765608d9bce792446fd97d2

SHA256
555b64330fe5f07cf8346edf69b396a050d0ed4b14838000e3302aa180d62063

SHA512
789462bb50d7a4cbb0baea17401e6bc8353caba7c78727b9cd7c5df50cc856e630196204896e0f97d2c5d48fee5524dc8174bb272ad59ba799e8c41f1de73d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\FKwksksc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\FwogYoYs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KKAoYAsI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkQYQUgc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WugcMgIc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZiwcEsss.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\af0b03c9e76aef0bf8ff3521fa5db168399fb5873ba7064be7d8da41e6df725a

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\dEIwQUIw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIcwIEAw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\hccYMYIk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUgkkIks.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\msYIQwsg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nKIkoMME.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcAYQEwE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwkskIMs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\socYEQkY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgYAwAgg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uOccwAAg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vMMAUAAc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCEkEkcQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\RsggQQME\BgUgIAwk.exe

Filesize
432KB

MD5
5412e63211036ae30db1232ee458c1e3

SHA1
9575e03970579530c8470d596a1e969e4b8086db

SHA256
4549762c3832d49c4f6fa0ffbda0b2348cc2e882e4168b46ff92dc022a7c3e91

SHA512
90757de22169d84a38383b15068bde6e4e0281ac5a82ca48ad4035e276af646e4ba3e6b8123470325cab9902cdd83deca2b138320b578719bb6e6b4fac9ae7e3

Download Submit
C:\Users\Admin\RsggQQME\BgUgIAwk.exe

Filesize
432KB

MD5
5412e63211036ae30db1232ee458c1e3

SHA1
9575e03970579530c8470d596a1e969e4b8086db

SHA256
4549762c3832d49c4f6fa0ffbda0b2348cc2e882e4168b46ff92dc022a7c3e91

SHA512
90757de22169d84a38383b15068bde6e4e0281ac5a82ca48ad4035e276af646e4ba3e6b8123470325cab9902cdd83deca2b138320b578719bb6e6b4fac9ae7e3

Download Submit
memory/176-298-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/176-297-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/216-285-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/216-142-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/484-164-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/552-204-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/552-199-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1076-305-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1076-304-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1096-314-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1180-260-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1180-132-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1240-226-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1624-320-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1624-321-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1900-214-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1900-201-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2096-296-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2148-270-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2148-244-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2148-271-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2288-299-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2460-318-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2608-286-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2608-143-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2780-309-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2948-313-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3044-316-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3044-315-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3080-257-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3172-283-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3372-307-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3372-308-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3420-319-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3500-141-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3500-284-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3836-322-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3916-295-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3952-165-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3952-149-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4008-301-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4008-302-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4020-248-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4168-266-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4240-317-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4352-306-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4388-300-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4408-323-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4456-312-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4456-311-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4512-253-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4512-249-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4512-279-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4536-232-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4536-238-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4668-189-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4700-287-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4700-291-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4728-310-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4784-259-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4928-173-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4928-179-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4944-303-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5036-275-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download