b5bc9eba7dea50a283115771c3e3c0c7a25333ce729537fc96fc8782e4767128

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 11:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1a1e0dadede90fff9bc3e115c3e71da6.exe
Size

484KB
MD5

1a1e0dadede90fff9bc3e115c3e71da6
SHA1

58c93beec97df100f565ab9533353cd456a72380
SHA256

b5bc9eba7dea50a283115771c3e3c0c7a25333ce729537fc96fc8782e4767128
SHA512

88058ea2048be2f80128654c743e57b01fa02bd1987b50324b0c44cca345789b7509bc063faadabb6c1a024a4ae29a49c63b8a1a61bea4f79de39c308199201f
SSDEEP

6144:Y03U3tjQGgI/NaqEuaIhI/Igpzuf8B6O13ALfTeotio/wwp7LBHpY9yTirt3O1hs:Y03ZGrIq9V6IaG1Q3GfhtFZl6XUS4EN

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1a1e0dadede90fff9bc3e115c3e71da6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2636	qKgooUgY.exe
3320	buYwkcQA.exe
4840	SYwUAkUg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\buYwkcQA.exe = "C:\\ProgramData\\ZiscsYYA\\buYwkcQA.exe"	SYwUAkUg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qKgooUgY.exe = "C:\\Users\\Admin\\GsMwcoIw\\qKgooUgY.exe"	1a1e0dadede90fff9bc3e115c3e71da6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\buYwkcQA.exe = "C:\\ProgramData\\ZiscsYYA\\buYwkcQA.exe"	1a1e0dadede90fff9bc3e115c3e71da6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qKgooUgY.exe = "C:\\Users\\Admin\\GsMwcoIw\\qKgooUgY.exe"	qKgooUgY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\buYwkcQA.exe = "C:\\ProgramData\\ZiscsYYA\\buYwkcQA.exe"	buYwkcQA.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1a1e0dadede90fff9bc3e115c3e71da6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1a1e0dadede90fff9bc3e115c3e71da6.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1a1e0dadede90fff9bc3e115c3e71da6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1a1e0dadede90fff9bc3e115c3e71da6.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\GsMwcoIw	SYwUAkUg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\GsMwcoIw\qKgooUgY	SYwUAkUg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3084	reg.exe
5660	reg.exe
5264	reg.exe
4016	reg.exe
2780	reg.exe
4940	reg.exe
2120	reg.exe
4508	reg.exe
3068	reg.exe
4136	reg.exe
2072	reg.exe
4884	reg.exe
5592	reg.exe
5144	reg.exe
3172	reg.exe
5240	reg.exe
4768	reg.exe
1812	reg.exe
4624	reg.exe
1416	reg.exe
5508	reg.exe
1668	reg.exe
460	reg.exe
1996	reg.exe
5688	reg.exe
1716	reg.exe
2788	reg.exe
5284	reg.exe
5984	reg.exe
5528	reg.exe
768	reg.exe
688	reg.exe
1196	reg.exe
4384	reg.exe
1836	reg.exe
6068	reg.exe
4884	reg.exe
2952	reg.exe
864	reg.exe
3464	reg.exe
2164	reg.exe
1736	reg.exe
5380	reg.exe
3200	reg.exe
3848	reg.exe
2200	reg.exe
5308	reg.exe
1348	reg.exe
2188	reg.exe
3984	reg.exe
5468	reg.exe
5264	reg.exe
3640	reg.exe
1652	reg.exe
5332	reg.exe
384	reg.exe
5788	reg.exe
1848	reg.exe
4020	reg.exe
5984	reg.exe
2200	reg.exe
5204	reg.exe
3192	reg.exe
1564	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2376	1a1e0dadede90fff9bc3e115c3e71da6.exe
2376	1a1e0dadede90fff9bc3e115c3e71da6.exe
2376	1a1e0dadede90fff9bc3e115c3e71da6.exe
2376	1a1e0dadede90fff9bc3e115c3e71da6.exe
4016	1a1e0dadede90fff9bc3e115c3e71da6.exe
4016	1a1e0dadede90fff9bc3e115c3e71da6.exe
4016	1a1e0dadede90fff9bc3e115c3e71da6.exe
4016	1a1e0dadede90fff9bc3e115c3e71da6.exe
788	1a1e0dadede90fff9bc3e115c3e71da6.exe
788	1a1e0dadede90fff9bc3e115c3e71da6.exe
788	1a1e0dadede90fff9bc3e115c3e71da6.exe
788	1a1e0dadede90fff9bc3e115c3e71da6.exe
2780	1a1e0dadede90fff9bc3e115c3e71da6.exe
2780	1a1e0dadede90fff9bc3e115c3e71da6.exe
2780	1a1e0dadede90fff9bc3e115c3e71da6.exe
2780	1a1e0dadede90fff9bc3e115c3e71da6.exe
5068	1a1e0dadede90fff9bc3e115c3e71da6.exe
5068	1a1e0dadede90fff9bc3e115c3e71da6.exe
5068	1a1e0dadede90fff9bc3e115c3e71da6.exe
5068	1a1e0dadede90fff9bc3e115c3e71da6.exe
440	1a1e0dadede90fff9bc3e115c3e71da6.exe
440	1a1e0dadede90fff9bc3e115c3e71da6.exe
440	1a1e0dadede90fff9bc3e115c3e71da6.exe
440	1a1e0dadede90fff9bc3e115c3e71da6.exe
2060	1a1e0dadede90fff9bc3e115c3e71da6.exe
2060	1a1e0dadede90fff9bc3e115c3e71da6.exe
2060	1a1e0dadede90fff9bc3e115c3e71da6.exe
2060	1a1e0dadede90fff9bc3e115c3e71da6.exe
4200	1a1e0dadede90fff9bc3e115c3e71da6.exe
4200	1a1e0dadede90fff9bc3e115c3e71da6.exe
4200	1a1e0dadede90fff9bc3e115c3e71da6.exe
4200	1a1e0dadede90fff9bc3e115c3e71da6.exe
2872	1a1e0dadede90fff9bc3e115c3e71da6.exe
2872	1a1e0dadede90fff9bc3e115c3e71da6.exe
2872	1a1e0dadede90fff9bc3e115c3e71da6.exe
2872	1a1e0dadede90fff9bc3e115c3e71da6.exe
4212	1a1e0dadede90fff9bc3e115c3e71da6.exe
4212	1a1e0dadede90fff9bc3e115c3e71da6.exe
4212	1a1e0dadede90fff9bc3e115c3e71da6.exe
4212	1a1e0dadede90fff9bc3e115c3e71da6.exe
3592	1a1e0dadede90fff9bc3e115c3e71da6.exe
3592	1a1e0dadede90fff9bc3e115c3e71da6.exe
3592	1a1e0dadede90fff9bc3e115c3e71da6.exe
3592	1a1e0dadede90fff9bc3e115c3e71da6.exe
2060	1a1e0dadede90fff9bc3e115c3e71da6.exe
2060	1a1e0dadede90fff9bc3e115c3e71da6.exe
2060	1a1e0dadede90fff9bc3e115c3e71da6.exe
2060	1a1e0dadede90fff9bc3e115c3e71da6.exe
692	1a1e0dadede90fff9bc3e115c3e71da6.exe
692	1a1e0dadede90fff9bc3e115c3e71da6.exe
692	1a1e0dadede90fff9bc3e115c3e71da6.exe
692	1a1e0dadede90fff9bc3e115c3e71da6.exe
2356	1a1e0dadede90fff9bc3e115c3e71da6.exe
2356	1a1e0dadede90fff9bc3e115c3e71da6.exe
2356	1a1e0dadede90fff9bc3e115c3e71da6.exe
2356	1a1e0dadede90fff9bc3e115c3e71da6.exe
4276	1a1e0dadede90fff9bc3e115c3e71da6.exe
4276	1a1e0dadede90fff9bc3e115c3e71da6.exe
4276	1a1e0dadede90fff9bc3e115c3e71da6.exe
4276	1a1e0dadede90fff9bc3e115c3e71da6.exe
2992	1a1e0dadede90fff9bc3e115c3e71da6.exe
2992	1a1e0dadede90fff9bc3e115c3e71da6.exe
2992	1a1e0dadede90fff9bc3e115c3e71da6.exe
2992	1a1e0dadede90fff9bc3e115c3e71da6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2636	2376	1a1e0dadede90fff9bc3e115c3e71da6.exe	89
PID 2376 wrote to memory of 2636	2376	1a1e0dadede90fff9bc3e115c3e71da6.exe	89
PID 2376 wrote to memory of 2636	2376	1a1e0dadede90fff9bc3e115c3e71da6.exe	89
PID 2376 wrote to memory of 3320	2376	1a1e0dadede90fff9bc3e115c3e71da6.exe	91
PID 2376 wrote to memory of 3320	2376	1a1e0dadede90fff9bc3e115c3e71da6.exe	91
PID 2376 wrote to memory of 3320	2376	1a1e0dadede90fff9bc3e115c3e71da6.exe	91
PID 2376 wrote to memory of 3708	2376	1a1e0dadede90fff9bc3e115c3e71da6.exe	94
PID 2376 wrote to memory of 3708	2376	1a1e0dadede90fff9bc3e115c3e71da6.exe	94
PID 2376 wrote to memory of 3708	2376	1a1e0dadede90fff9bc3e115c3e71da6.exe	94
PID 3708 wrote to memory of 4016	3708	cmd.exe	96
PID 3708 wrote to memory of 4016	3708	cmd.exe	96
PID 3708 wrote to memory of 4016	3708	cmd.exe	96
PID 2376 wrote to memory of 4552	2376	1a1e0dadede90fff9bc3e115c3e71da6.exe	97
PID 2376 wrote to memory of 4552	2376	1a1e0dadede90fff9bc3e115c3e71da6.exe	97
PID 2376 wrote to memory of 4552	2376	1a1e0dadede90fff9bc3e115c3e71da6.exe	97
PID 2376 wrote to memory of 3552	2376	1a1e0dadede90fff9bc3e115c3e71da6.exe	102
PID 2376 wrote to memory of 3552	2376	1a1e0dadede90fff9bc3e115c3e71da6.exe	102
PID 2376 wrote to memory of 3552	2376	1a1e0dadede90fff9bc3e115c3e71da6.exe	102
PID 2376 wrote to memory of 4312	2376	1a1e0dadede90fff9bc3e115c3e71da6.exe	98
PID 2376 wrote to memory of 4312	2376	1a1e0dadede90fff9bc3e115c3e71da6.exe	98
PID 2376 wrote to memory of 4312	2376	1a1e0dadede90fff9bc3e115c3e71da6.exe	98
PID 4016 wrote to memory of 1564	4016	1a1e0dadede90fff9bc3e115c3e71da6.exe	103
PID 4016 wrote to memory of 1564	4016	1a1e0dadede90fff9bc3e115c3e71da6.exe	103
PID 4016 wrote to memory of 1564	4016	1a1e0dadede90fff9bc3e115c3e71da6.exe	103
PID 4016 wrote to memory of 4524	4016	1a1e0dadede90fff9bc3e115c3e71da6.exe	108
PID 4016 wrote to memory of 4524	4016	1a1e0dadede90fff9bc3e115c3e71da6.exe	108
PID 4016 wrote to memory of 4524	4016	1a1e0dadede90fff9bc3e115c3e71da6.exe	108
PID 4016 wrote to memory of 4624	4016	1a1e0dadede90fff9bc3e115c3e71da6.exe	107
PID 4016 wrote to memory of 4624	4016	1a1e0dadede90fff9bc3e115c3e71da6.exe	107
PID 4016 wrote to memory of 4624	4016	1a1e0dadede90fff9bc3e115c3e71da6.exe	107
PID 4016 wrote to memory of 452	4016	1a1e0dadede90fff9bc3e115c3e71da6.exe	105
PID 4016 wrote to memory of 452	4016	1a1e0dadede90fff9bc3e115c3e71da6.exe	105
PID 4016 wrote to memory of 452	4016	1a1e0dadede90fff9bc3e115c3e71da6.exe	105
PID 4016 wrote to memory of 1844	4016	1a1e0dadede90fff9bc3e115c3e71da6.exe	106
PID 4016 wrote to memory of 1844	4016	1a1e0dadede90fff9bc3e115c3e71da6.exe	106
PID 4016 wrote to memory of 1844	4016	1a1e0dadede90fff9bc3e115c3e71da6.exe	106
PID 1564 wrote to memory of 788	1564	cmd.exe	113
PID 1564 wrote to memory of 788	1564	cmd.exe	113
PID 1564 wrote to memory of 788	1564	cmd.exe	113
PID 788 wrote to memory of 3248	788	1a1e0dadede90fff9bc3e115c3e71da6.exe	115
PID 788 wrote to memory of 3248	788	1a1e0dadede90fff9bc3e115c3e71da6.exe	115
PID 788 wrote to memory of 3248	788	1a1e0dadede90fff9bc3e115c3e71da6.exe	115
PID 788 wrote to memory of 3520	788	1a1e0dadede90fff9bc3e115c3e71da6.exe	117
PID 788 wrote to memory of 3520	788	1a1e0dadede90fff9bc3e115c3e71da6.exe	117
PID 788 wrote to memory of 3520	788	1a1e0dadede90fff9bc3e115c3e71da6.exe	117
PID 788 wrote to memory of 1464	788	1a1e0dadede90fff9bc3e115c3e71da6.exe	116
PID 788 wrote to memory of 1464	788	1a1e0dadede90fff9bc3e115c3e71da6.exe	116
PID 788 wrote to memory of 1464	788	1a1e0dadede90fff9bc3e115c3e71da6.exe	116
PID 788 wrote to memory of 640	788	1a1e0dadede90fff9bc3e115c3e71da6.exe	119
PID 788 wrote to memory of 640	788	1a1e0dadede90fff9bc3e115c3e71da6.exe	119
PID 788 wrote to memory of 640	788	1a1e0dadede90fff9bc3e115c3e71da6.exe	119
PID 788 wrote to memory of 4744	788	1a1e0dadede90fff9bc3e115c3e71da6.exe	118
PID 788 wrote to memory of 4744	788	1a1e0dadede90fff9bc3e115c3e71da6.exe	118
PID 788 wrote to memory of 4744	788	1a1e0dadede90fff9bc3e115c3e71da6.exe	118
PID 3248 wrote to memory of 2780	3248	cmd.exe	120
PID 3248 wrote to memory of 2780	3248	cmd.exe	120
PID 3248 wrote to memory of 2780	3248	cmd.exe	120
PID 2780 wrote to memory of 1524	2780	1a1e0dadede90fff9bc3e115c3e71da6.exe	126
PID 2780 wrote to memory of 1524	2780	1a1e0dadede90fff9bc3e115c3e71da6.exe	126
PID 2780 wrote to memory of 1524	2780	1a1e0dadede90fff9bc3e115c3e71da6.exe	126
PID 2780 wrote to memory of 4860	2780	1a1e0dadede90fff9bc3e115c3e71da6.exe	131
PID 2780 wrote to memory of 4860	2780	1a1e0dadede90fff9bc3e115c3e71da6.exe	131
PID 2780 wrote to memory of 4860	2780	1a1e0dadede90fff9bc3e115c3e71da6.exe	131
PID 2780 wrote to memory of 3704	2780	1a1e0dadede90fff9bc3e115c3e71da6.exe	130

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1a1e0dadede90fff9bc3e115c3e71da6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1a1e0dadede90fff9bc3e115c3e71da6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1a1e0dadede90fff9bc3e115c3e71da6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1a1e0dadede90fff9bc3e115c3e71da6.exe

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
"C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\GsMwcoIw\qKgooUgY.exe
  "C:\Users\Admin\GsMwcoIw\qKgooUgY.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2636
- C:\ProgramData\ZiscsYYA\buYwkcQA.exe
  "C:\ProgramData\ZiscsYYA\buYwkcQA.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1564
    - - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:788
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        8⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        10⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        12⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        14⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        16⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        18⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        20⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        22⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        24⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        26⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        28⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        30⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        32⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        33⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        34⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        35⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        36⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        37⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        38⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        39⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        40⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        41⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        42⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        43⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        44⤵
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        45⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        46⤵
        
        PID:5776
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        47⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        48⤵
        
        PID:5160
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        49⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        50⤵
        
        PID:5352
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        51⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        52⤵
        
        PID:5768
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        53⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        54⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        55⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        56⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        57⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        59⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        60⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        61⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        62⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        63⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        64⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwAkUkos.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        64⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUIQEAUM.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        62⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TooEkQYA.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        60⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgEosIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        58⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:5912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies registry key
        
        PID:5240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hokswwcU.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        56⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        Modifies registry key
        
        PID:5788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:6012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEksYwEM.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        54⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:6076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:5308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akUcEEow.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        52⤵
        
        PID:6040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:5984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:5508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWIgkgQo.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        50⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uakMQAEs.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        48⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        Modifies registry key
        
        PID:5264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LWoAUgUo.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        46⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tSYUMsIc.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        44⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IsYwogIU.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        42⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:5128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies registry key
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        Modifies registry key
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqQsIAII.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        40⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCMwYIQQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        38⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMcQckQw.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        36⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAUYIsks.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        34⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies registry key
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqcAQMUY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        32⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aegooQkE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        30⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWUAwIwo.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        28⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYcoMcEk.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        26⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuMcIsAI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        24⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOggAgsA.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        22⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies registry key
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmMAUsoE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        20⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msQQMcgY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        18⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QkogUoQY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        16⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICgkEAgU.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        14⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jygMAcMU.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        12⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WuYgEIkk.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        10⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEQUcckI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        8⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:4860
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1464
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3520
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMYAQwks.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        6⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2188
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:640
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PeYEcwAA.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
      4⤵
      PID:1844
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1580
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4624
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4524
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4552
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4312
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XyAQYwgE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:3988
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5956

C:\ProgramData\VikEAQko\SYwUAkUg.exe
C:\ProgramData\VikEAQko\SYwUAkUg.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4840

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:5864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6084

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:5820
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3340
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:6012
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:5624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwgEscAg.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:2188
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4992

C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
1⤵
PID:1812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
  2⤵
  PID:5396
- - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
    C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
    3⤵
    PID:4940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
      4⤵
      PID:1340
    - - C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        5⤵
        
        PID:1928
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        6⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        7⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        8⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        9⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        10⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        11⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        12⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        13⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        14⤵
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        15⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        16⤵
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        17⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        18⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        19⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        20⤵
        
        PID:5976
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        21⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        22⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        23⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        24⤵
        
        PID:5892
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        25⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        26⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        27⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        28⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        29⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        30⤵
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        31⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        32⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        33⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        34⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        35⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        36⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        37⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        38⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        39⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        40⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        41⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        42⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        43⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        44⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        45⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        46⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        47⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        48⤵
        
        PID:5488
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        49⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        50⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        51⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        52⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        53⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        54⤵
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        55⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        56⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        57⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        58⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        59⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        60⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        61⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        62⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        63⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        64⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        65⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        66⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        67⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        68⤵
        
        PID:3096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        69⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        70⤵
        
        PID:5340
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        71⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        72⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        73⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        74⤵
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        75⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        76⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        77⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        78⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        79⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        80⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        81⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        82⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        83⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        84⤵
        
        PID:5184
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        85⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        86⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        87⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        88⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        89⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        90⤵
        
        PID:1232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        91⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        92⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        93⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        94⤵
        
        PID:5572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:5612
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        95⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        96⤵
        
        PID:5424
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        97⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:5140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        98⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        99⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        100⤵
        
        PID:1860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        101⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        102⤵
        
        PID:5080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        103⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        104⤵
        
        PID:6116
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        105⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        106⤵
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        107⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        108⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        109⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        110⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        111⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        112⤵
        
        PID:3116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        113⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        114⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        115⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        116⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        117⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        118⤵
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        119⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        120⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        121⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        122⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        123⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        124⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        125⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        126⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        127⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        128⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        129⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        130⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        131⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        132⤵
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        133⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        134⤵
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        135⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        136⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        137⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        138⤵
        
        PID:5660
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        139⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        140⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        141⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        142⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        143⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        144⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        145⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        146⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        147⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        148⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        149⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        150⤵
        
        PID:5872
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        151⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        152⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        153⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        154⤵
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        155⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        156⤵
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        157⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        158⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        159⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        160⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        161⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        162⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        163⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        164⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        165⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        166⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        167⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        168⤵
        
        PID:528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        169⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        170⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        171⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        172⤵
        
        PID:5344
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        173⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        174⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        175⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        176⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        177⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        178⤵
        
        PID:5760
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        179⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        180⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        181⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        182⤵
        
        PID:5312
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        183⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        184⤵
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        185⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        186⤵
        
        PID:5348
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        187⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        188⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        189⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        190⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        191⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        192⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        193⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        194⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        195⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        196⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        197⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6"
        198⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6
        199⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies registry key
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        Modifies registry key
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puUMAkUI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        198⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\seAYsIMw.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        196⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        Modifies registry key
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ayUYEYUo.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        194⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWsksAIA.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        192⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        Modifies registry key
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImcUEUYU.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        190⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        Modifies registry key
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYYMgYgk.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        188⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyIMskcY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        186⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xAskUUAs.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        184⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qAYMEUUs.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        182⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsUoYckA.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        180⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMAgkosc.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        178⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fEwgcgYM.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        176⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:6116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:1672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWwEEcws.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        174⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IgwkokEs.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        172⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        Modifies registry key
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZawQccwo.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        170⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ieoEcYEE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        168⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqEAUMMk.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        166⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        Modifies registry key
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MywoUkAY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        164⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tagUIccY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        162⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCAYcoMQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        160⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwMokskA.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        158⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCwMoMUs.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        156⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:5972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcQcwYUI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        154⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMcoAwcg.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        152⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:5264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEEAEkQk.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        150⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyQAUgcM.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        148⤵
        
        PID:492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies registry key
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uAAkQsUk.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        146⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIIYMMQM.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        144⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:5388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PowsgkMU.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        142⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:2200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmssQccw.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        140⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:5468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwQoYYYE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        138⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAEwcccM.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        136⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZeIAYkws.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        134⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkUsIoIc.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        132⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        Modifies registry key
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iysEUksg.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        130⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikMEsgEc.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        128⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwwsAgAs.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        126⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmgMUsck.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        124⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMYUQgEo.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        122⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAwIMcAs.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        120⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:5732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIQgMUYo.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        118⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:5216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKskQkwk.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        116⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        UAC bypass
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOQMAEAg.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        114⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ByscEEIA.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        112⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOckEMgY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        110⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncQUcgow.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        108⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:5660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgwgsssE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        106⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAEsMwgU.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        104⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:2700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqIEoscI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        102⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        Modifies registry key
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        UAC bypass
        Modifies registry key
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies registry key
        
        PID:5284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DeMUQIEU.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        100⤵
        
        PID:5088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMoEAAAM.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        98⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:6060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        100⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:5196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BesEkwMY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        96⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmcgsQkw.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        94⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:3708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BsEksYww.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        92⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        Modifies registry key
        
        PID:5204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quAIUIEw.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        90⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies registry key
        
        PID:5688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\coQwkQAA.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        88⤵
        
        PID:5616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OSoockYk.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        86⤵
        
        PID:3420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqQocwcg.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        84⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCAwwYwY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        82⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jSIEMoEk.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        80⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FIkkEoIA.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        78⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:4884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwQAkQIs.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        76⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tqcUYMQg.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        74⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:5780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies registry key
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EywwMcgE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        72⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQswEIsQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        70⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wqwoIsko.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        68⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wckUoQQc.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        66⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKIwAoMw.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        64⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        Modifies registry key
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsUUAEIE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        62⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies registry key
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uagosAcY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        60⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmAgAowo.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        58⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fuoosoQo.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        56⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaMUsIMc.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        54⤵
        
        PID:492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YiMoQcQo.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        52⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygcEUoEM.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        50⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        Modifies registry key
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqQwEwkg.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        48⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:5148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LsYsgIEU.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        46⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auQIcAAY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        44⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies registry key
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMEIEYcE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        42⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOwkcgMI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        40⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:5960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:5144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuQsQocE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        38⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:5332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAYEYgMU.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        36⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWcYUcok.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        34⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOQYAEMY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        32⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emwgYkAI.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        30⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:5312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JSkYkgIo.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        28⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKMsIEso.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        26⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sCAwcosE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        24⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEQskMIo.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        22⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emcYwoMg.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        20⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\acYQMsUQ.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        18⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:5936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        Modifies registry key
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEQQQwwE.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        16⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWYsowcA.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        14⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEckAQAc.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        12⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:5544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGUkEgIY.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        10⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:6096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biYAwgUc.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        8⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5956
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:3252
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1848
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IywwQMMg.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
        6⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4944
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3068
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3884
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:5368
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIEcgwUc.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
      4⤵
      PID:5304
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4956
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:6068
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3740
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYUEUosg.bat" "C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6.exe""
  2⤵
  PID:5348
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5960

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- UAC bypass
PID:6012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:5508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\VikEAQko\SYwUAkUg.exe

Filesize
433KB

MD5
6ff68d7a0588e2b0932037a94811e6ba

SHA1
016c2be6767e66306b06a138d784988e055c23aa

SHA256
551822a3f3a52236c692dfa651b6b51205d49b475af87a2d5a5b374f72ce4b9f

SHA512
976142528e949b89538d066745cc746476abbb36931648a17a2348b727120fd07f3713c4d08a519d32e546f7cf3987ff5de8f8b45c98a00cbd52ebbf69b1b6cb

Download Submit
C:\ProgramData\ZiscsYYA\buYwkcQA.exe

Filesize
434KB

MD5
0da58cfbf8f28ce44c9a1013e73d1b30

SHA1
92dc8c549a86de7cf4eebb00c78166591a0bc65c

SHA256
79b03e49389b2a05c7f0627e67c4a2da2977e7dbc0733621970370207bd2d23a

SHA512
0608fd678552b6864044cc4cad6687b838cbca15f2cfd6024d6afd57134a04444b96de5206478a71128a671cd6ea50379a45b0dd4d3406b5f2d9f50dfde30eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a1e0dadede90fff9bc3e115c3e71da6

Filesize
48KB

MD5
44840b46ae11971c62f6ea59273bad91

SHA1
79477b9308b0fb13e7c274c4b8f06f7c36a91543

SHA256
22326779f5599fe87151ac35ba694b47322eb990967d7b22c4a45194ff53e08a

SHA512
4883d0e061cea60681dee0fb2afbfb1e64c068291d8aa04bfddc527abf3f81cfbf176fd2ebbcccacff7fdddc0ee76bbe88de711ac133d8ea0fd689bff5db6a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIYM.exe

Filesize
1.0MB

MD5
7df2c2d4a5d535086f702226c6c04608

SHA1
a9057e7808bbe3a9b3b8848a550c2b6aed2d5610

SHA256
e331a8dabe51d70d6912c6fb991c6303a76f12afb29238f428cbf189c5646632

SHA512
4565630a62215a8e9ad986fe4acc776fb284651362c2d766d9189ebfd8def56951de9644c3cd73e588b8cd840521e177675492ecd74d0ff2ebfde6b1fa2ac75b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMME.exe

Filesize
274KB

MD5
d8a162df99c586fe10119d098d2ac3b9

SHA1
b3ed26ff8ccb7b96cde065dbaa6959a1dad3efad

SHA256
079816aea3b90c2c17978b120c368f02593e1104871d81b7a37ff4ec9c03e989

SHA512
3bf8ca9143ca22debd4ad331f7fe5bb94ff0671415f8d217c4e950fadd95ac4d3bf6d43564c77132d11608a711dac8b4bdd6cc2dd2b1f931e4eaf688ab41e8a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYAu.exe

Filesize
460KB

MD5
e3e750c96fe504e521288edfc54d84fe

SHA1
b6c07b67e9ec3d8ddd63b9e74f4fd21c2eeea7dd

SHA256
9e011e339678194976733dd5b0fe31a6faff2e3c1244e9550ee88346b2ff0904

SHA512
9e0e9eebf5f77ee8b29d07c6ba9ee59736466966832912611f08fa0174faaf369bb3c6ebf5c3ed2a238349ae5cc1bcb2a0b28036e33170f0e995af8bfaba92c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAoI.exe

Filesize
436KB

MD5
fdee4d16927aabf7a0b6aebf50fed22e

SHA1
a9439e248857c3403d959f7c8620c2606aa768e3

SHA256
d72b5e4a62c1fb2003b27eda14e6c1fae346b1341c68fa3e5a2bbf1e66f05c38

SHA512
8c5915fb09305796352a8a6ab1f9f34aa3c0de77046f04f511c09fc8411e1bcf96bbcca0ac6854bdf0c2cb8adef43030ca95a26edb3256738037f307442d072d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcIm.exe

Filesize
441KB

MD5
87ad7ddeadd71b9bd47a51f86ecb006c

SHA1
06b670920a6de6674d444a81d53a4a8c0648bff1

SHA256
2c649cdb6f6d90c0a4132f6dd3828f5eed0aa5b412ff24f0fd931954f26736d6

SHA512
0a63f19c3afcf6240e09ecf7a081035105f239287ff09ad96a4917d9bf5dbb51f11782144818082e4efdae56100061915c08d5df0c8d3f74ff0417941ac0040c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DoIW.exe

Filesize
287KB

MD5
51b4b09090cb03dc040e287be58b6301

SHA1
acb733ccf5ab5b670926fbcba85704b65b10f5ec

SHA256
5d41f3cdc7011cb4c6c4bcc6126756d5c973d82f019bf2b3b5641a988c879715

SHA512
2f5f6e11a95a647edef013f7b42a3a036fb656c2d31b65cc17b128a1af728497ac6f31d37de446c5a834b1f6aaef1c1dd46639750553599905c2f15e2cbf9e03

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQoo.exe

Filesize
459KB

MD5
cddc9d79be3f03caf3905578d0c2a9fc

SHA1
0fa1271a1e10e6520b4d0375c9e512e3ec7ac6d0

SHA256
5cfa5feca8b2a4536fbb97cb8a789c9b54aa0a547d0a69f5e10313f23fe5be6c

SHA512
7a7372cbe176c4fecb7af199e6f23c57e9bb4869e8f21257fe9f24e032d980be28d9d0c801a24c88b51bc762ccd9a2e3787dc3b39fee1e849426989ff340b55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAgw.exe

Filesize
1022KB

MD5
ade21fe18ee98d3641144663a342c65b

SHA1
a223ee095cdf0d67e0b3491cf492ba0a0266488d

SHA256
b2258335d41e2c7a7b693e69938b857cbee7cc472e9b1cc0e7d9bf4f328c2c48

SHA512
8e3e59a47cdd0089d48c9712ffad471177744d23285a5f559b1fff5d5d09e526de08fcc140278d0f07a776647faef51406292453a8d0fd884bb5d765309363ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEAu.exe

Filesize
437KB

MD5
990bdee37e818ffabf9ffbbddbdad1d4

SHA1
86cc563b68d47372b363b17ef9166476ab2ca2c5

SHA256
18a0bbd43a2114a547f5bb6695f251abf9d05813d6a3cb9c3197a8a6d41e3457

SHA512
3f8a5bbacc01173582fe0a760b39dfaa14e145dd215f1a9a3e8c4d30af55611635152bcb36c7206846711718086382ff71eec1b39f748ef53cfe3ae7e49ea6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HsYG.exe

Filesize
448KB

MD5
6bbca4fd57595c857adb723baefb2fe7

SHA1
0aa7e2c31e1c554f8be0c67415897c682172cef9

SHA256
118e49f475bd3b95c6fc11e7ff12101c1f5c8205542ed12bd247a3d23323c15e

SHA512
9953cefb05db745516b637bccb9f594b754f7311cc8f43d0c34482282158202c7d93f5e69a1cc7d51f518e3a7a6e727a8d4a6864aef4ad0f5429bed385b97030

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIkc.exe

Filesize
440KB

MD5
ef367fe62bfbe1fec2ffae43ca075e4e

SHA1
a028be7464fa19e87209bfef53d5896ca09d4ace

SHA256
324d7ea86fc1c31f5e47f3b6a5b6977bce002abb899dadc9dcf8b2479b80a8eb

SHA512
5c79d6368b0a86f025a1b75256240a52e7151816228bf580e76fcf0ff1c47b31a5ecb6d330cd834a5de44d9a0abb4bcebde51cc250e97b115bfcbd11f5931ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\JoMM.exe

Filesize
434KB

MD5
ae7eda300ff8af81d170d64fd85399c2

SHA1
9070cb59d08bfbb863eba3954b830914b9279d4c

SHA256
08131dd9cf6b2ded2bfc4cf16ab6fbaaf6d7d53f743089e13cb7afa5f96891ed

SHA512
652f0a3b94796cf04e088106fcb3692fe60b1d4f312fd2e9b4bbfe5b8200296643bd2d1a579fd854dd51fce8bbb75c86c4620e45e2ccd9754a7b5b22cdc9dd75

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAwA.exe

Filesize
452KB

MD5
a19de9a8cc9258bdc8b8a4b430713b69

SHA1
76517ecc91ba44f380e835ff7bd6fa710f152f63

SHA256
8938d54280f00206bf8ecd610122fd17e7426f54c796f1c6523d09056e6de02e

SHA512
37f701e6e74ad67217a1df0b8117a5df5fe44a996a123e6f25098b62f1ec7b59c9a90ecbe1c474377923211023ded25763c7257245325e56a29a887a8b4d33a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwoU.exe

Filesize
58KB

MD5
cb78fd642715783a33f56e5d10784b6e

SHA1
f8f0b504629655a56c72ba143aa1f83f03ce33c7

SHA256
f5e4d62c9e2e5b2fb7a54a51d62aa2d7a3f7e7187533e17bce118620649855ad

SHA512
2196c962f61a35fed437b82900d5e95fb52c891bb965ae6ff6ae31204d8407aab2c62c1226c771c50f812e6eb722e1d2eb140bb8a7c15fa1dc794a431b263bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYoc.exe

Filesize
502KB

MD5
1cbccc4d20aa18f5f82f24eb43b98569

SHA1
a7733363afb8eb7c92f97ce7885a7f7e22b2df8e

SHA256
d6dde6a677627f00f0ed3a1cff9fb6a1e89371eb5b296fbfd28a4c42f23ff98f

SHA512
4b4e1049169d820ae4d69cfbc023e84cdd824fe0b750ebdc364d6ff75f702df68580f78cfafac470d4caac60ab28c80bf069d9b1ee6f619793885eeecc8fc218

Download Submit
C:\Users\Admin\AppData\Local\Temp\OGoc.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQYK.exe

Filesize
437KB

MD5
463d3b77e49449b810c1bf81bba508b7

SHA1
412a66c0924bdd056c05f159486b9ac2393cdc9e

SHA256
6e5dcbd85210b2fd37e8193fe83d87ab409f92ed71e064286bb2cf79a7da7112

SHA512
3172a33427c271bbc23b280a9d590dcec800af153f4a5d3ce2f586c16f701cda1a0940c6cc60f113a99bd4620cdb682f03258b5e87bc2ee05c627f18fed9bda5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PeYEcwAA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgYq.exe

Filesize
557KB

MD5
83701e1b31c05d9a9fa5abe30cb7a408

SHA1
9aaa9abc5c3fba5555dbb0dea3e8e62407719c2b

SHA256
1dfc091856be4a19b1272feb82fbae9ad8f5e8b9acde26ff7e031a155cdbe251

SHA512
93b56df5f88dff22f20695c24c76a2c1eb8e16a9af97049bd37097b35f2cb18b65f70955c8adb1776f069775210b6b1df5c714e8955f53320807d7908448fb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUUM.exe

Filesize
437KB

MD5
64b192f3e7a15a5815b309b7715a323f

SHA1
c2432b85bd992d4ed0b77c043757fecde29094a1

SHA256
71cd9758cad97ca59a5991e46cb6813822b5fdc0e0e9a2dda1328c1abd7b56d8

SHA512
2d3fb077ef671018c9ef3e5e7d01be9ff97a3581375f1d452b9890a9197b0177bfa49fa16a139825ab8e2155156a63c5519d2884d825cdabc6a7ac54cbd72723

Download Submit
C:\Users\Admin\AppData\Local\Temp\TYwW.exe

Filesize
444KB

MD5
b4321ca0c9677e8d722d78107d3756cd

SHA1
4808926890b221df6ca453b156aac63af60a93fe

SHA256
08ea8d0fbb336fd363c53347cb2fe0097a930ab12e3ce47713c4cce7e0009420

SHA512
b5958b475feb364e817a1285e2f26a37d8467a876d109305143d1c7a98e9dc0a03bde9e3f509393d021a197f941c1746239c8796052e769523fe4635400d31e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEcw.exe

Filesize
473KB

MD5
6075c29c015862c80386f65616df4e14

SHA1
bb41294f4d07b67e0b57ec914f154dd02abaf37c

SHA256
f5eda58c9f27e9aeddb4e1425451c64f5b2bc0cb22d764ade41ca2761062b273

SHA512
330c83a3a8b691be2718ad0baae00e2da2b23814370227b01089b1fabd77cc86c6956861173554d123cc079811464b20d4a5dec910fe1e6f03c35585db2ccfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUQc.exe

Filesize
447KB

MD5
372edafaaade681890638776de86a90c

SHA1
e4997b8815e666374b39326cf2284970add2ea1f

SHA256
de2b1d2e11f7008caa02067bb5d9b51555677a3b666a7d01a7e81f3a6c1b4a20

SHA512
836f4626c86e8a964757776041f2876991ad79f4ec96305de6686adff69cc450155f040daf7d5e49982c99ac3fadb4c464be91fe87c364abe8d430fae24aa650

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAcw.exe

Filesize
436KB

MD5
5bbddcd5e2d15d9a629acbac94a0bee9

SHA1
5316acc2618ea12545ac439f303f115859759c58

SHA256
e974cfb1f5abc8e0b8cba156efa60e2120789639a2a908f25bae354f956722a8

SHA512
49c629edc610802cfd0a4bb5e0510ee2b9c3abe7d7c53009fbe5eea6c21f5cd7ce34cad602a00bb9da26c8d2fdb1996154eec5b7bb339c7c5076bef6e1f11a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAEI.exe

Filesize
441KB

MD5
e5506301e56f144afd2d435088f85f16

SHA1
6d4152303504da6916035adb61a3619158cc4f88

SHA256
04b189b2fc929976ce564cf344e81e5ef4e214decfb09134d4d5488f114f0f07

SHA512
c3bd78228faef03ac3a1caf6a2cc03513f1dee15b495b0b56a2980a1baf4100a2fed08d9d9987a26e502894fb88f09df24cd7d2d7211b7909f94a0000214de30

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQMM.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\acQo.exe

Filesize
1021KB

MD5
1d9b16ca323c27103d710576323a8ae6

SHA1
2e423497bb496ed480696aff8797175b098b4609

SHA256
f07ce951b7c7f0a8300de5f820cb311001e8388809baff939822ae1ae8425a25

SHA512
e9bb773a5434b1e7c9b5231345298c0a7e8ba34a4c6f38f3db1703c0e602ee25f8d01df99b9ffecdbe512b2db8883396a85e89b9e5d9a013730ac8aa3175b5a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgcg.exe

Filesize
805KB

MD5
efabfc8560b627436d21bbfc67119d6e

SHA1
796078fb6c91ade26305861f917573cf2783e95a

SHA256
bada9a1e9ddd247b34f05092d4a3f5344fa6d4b94da869b7de0a2b6d98587513

SHA512
fd6f1b18d4effc214fff087799a37a0e70da6ae9fd2ebf88e9aacc68955aa6ddc4161a558298eec7826278674fb06c4fc7a7f129378b799bf88ae78275b5dc68

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUYm.exe

Filesize
441KB

MD5
425c2c6184f5a7eeda97e978fd0864d3

SHA1
dd7499f881040e28bef22109779798c68eb679b5

SHA256
938516378eefb740c997c00d7dc87fcdc8726218e6a1f144e6e12af674c7b485

SHA512
5d824399c360a3e0526398ea8a272ac777c39e8ee91574acca8c538f08749726e3906a86eab3d3bde1f4451584a5f0ab581c0e571124a7dfcdddde1d5ea12937

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQUS.exe

Filesize
435KB

MD5
0c42dee441ed95ca2de32e090c7dc812

SHA1
47c74e99443d0615f48190c16a0db614d3d42cc3

SHA256
0203f082a58f856ca557db4d9e34fc678b0569bd19befd11e29d0640a76895e0

SHA512
0c7c113d77e413b20d8edd69c9bf68a58b6b194d9fa2078c42290c8e19fe8d64e1913899eff31cbbcce727517bf4458c3e59a89b5392195cec6683ddebb20f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAcC.exe

Filesize
435KB

MD5
1f1a25c6de3c2afa6c147b0bd870c6eb

SHA1
8060635ba905843687531c9db014a53543cd3dc5

SHA256
c6702c8a6e12c06af93f96e87e49cfcdd55d4fdc4a5de3fed6e7058c805300cb

SHA512
3f0feb6f4ee3677665b9bb614dd73fd12cb4553c1da39567f3b452fdd6bd0351af9a9b043e3a8b15b2bdeb7359b13ebe13c665d5c127d44bca83ee886ea26fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hQEa.exe

Filesize
384KB

MD5
2cefb559c83b7661f93f90e075f09b25

SHA1
d080dcab57e7fc8a98a74a168e4e66d827a58024

SHA256
7426a3bc1b5f33305bf8badaeb60bb458f3bdf1c2b8768a84df4202328d998a5

SHA512
bdc9ec6ffe587ab71a3bc7a0fc403c8830beabd3a9dcbde780a41b1213082a502b499fbf19226b90ab0067ff8bdeddd420fcf98c256335c09c01e6a4b93af159

Download Submit
C:\Users\Admin\AppData\Local\Temp\hoUe.exe

Filesize
438KB

MD5
b1cc9ff8be580ce767ececcbd4334208

SHA1
a1eb8f019528c02c3dfa18be07119abe5a64cc3e

SHA256
3d0f3744b35fccb74d40cfcb0081e1d206856639155377963b029bd2b6955fbf

SHA512
badcfb709c9ae05b90da9f7314b47482620f0bce64cd5e9b187ed50a4d94ee037612be29d2c1c951971aee9b1034fac99c1c620d997a11a53bb5e11d8fb29852

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQoa.exe

Filesize
434KB

MD5
44688a544236ab6d0be9cad3741c75b5

SHA1
c770d4a6527fbc3d8fca128ec558e94ed8fbf990

SHA256
d19cc5d275cfe3d317158b4e0e0f87922d95765c1d86a588fe78d402e88fee29

SHA512
37433a8c67ce29b9a4a5179c479dd2a4e34c00beb49fcb0bffb5ff2bd78497bce1d3ae5bd5af8ad442a74ff53b1f364000051c52b2d65c6d466659325b433540

Download Submit
C:\Users\Admin\AppData\Local\Temp\isIy.exe

Filesize
888KB

MD5
d367ef828c379fb751463ad6e2c149d4

SHA1
0b30eafe412776c95cd0ee999d158eaa7d5ec069

SHA256
a717786c0d9040d8ac424f3d06a9a3a0b65e29ef1e35530da7decaeef2734af1

SHA512
165f6dbfd960fb85fe25a70cedc7e1079717a4d11b5663d0b677b289507a8b0a76273c795aabfeadfe350238b0897bc884fd72dc6ccdd210cb8e6726f77cb663

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEwu.exe

Filesize
441KB

MD5
68a9ffe8c6c7d69e9063f0cee3a4fafc

SHA1
a9a006b9892ca17b6ca37daf7a8438e7526aa365

SHA256
be26d3538c4ae75ba38e2bcd7463a2e6a513bff78e31c11b7d38de61a359eb5e

SHA512
12097d722d3d90b0a489eb94534b21bccefdb3f127a620bfe1e58b9de54d737543a7c663e4e2a73e21c6785a031624fee60b4c6bedde6fca720f0d00f9ee8d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIcE.exe

Filesize
439KB

MD5
b911cd5e51b6014b2eeb17260e408be2

SHA1
cfa8d35ddda0eb0514f7542a8b49156db62d7b52

SHA256
08e5e562119fd2dae3a1ff7b6f16e840086ea087218c3fe51c7ca9b984168542

SHA512
432a421acf1a016fff9436108d73f1886aec6db0f6771916816eca98ccb786c94c99cbb373465921e022102800491c1c00ede178614703d22930ca8c9df0d5c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwUM.exe

Filesize
436KB

MD5
9ed35f49d85399472b7f73ac3751a1f4

SHA1
9a6bebf172656993e347d8c6353e476c38320ed6

SHA256
cfc48485bcd1a5ef78cc1ba9d1593f822c4a1bbf8d10279a8b9d0b0e48fd872f

SHA512
f4706c96701a6c4b063369c197791d52542b62e7f6e8ad2fdc9d229f9671ab5e1d0b039ab7161e0a6ad2cc6a037c942b5794889271f4f8e959d0e81c587ba8cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nEwY.exe

Filesize
439KB

MD5
69a46032f43522de0c45abfa701881ae

SHA1
989b077446d59ba3ee221966ebe73740fd470c6e

SHA256
96f9b180e776bf69b8234eff3683267b231ae3099c663e288149fb5643ce164e

SHA512
04d99df7a3e3b85fb326aa1c57791a0778b078b98e65d86bb37dd41c4353239d3660c49c5e82154596a372d438d5d208cb3b0cd5ebe5e1636e08baef4d3bc73a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQEw.exe

Filesize
285KB

MD5
7f975b1c40d3a40923682c6607b155bb

SHA1
869943f3085d743399db7066a625732096c5ddec

SHA256
bab65fbc9f986a952f89606b75747b2461641fb0606bd727fd23c201f932c856

SHA512
c3b0c753f2a69296eca953aa2fdfeac4245bda0bbfa083bf80ddeb23d97fbbc4554ebd25b318af7b2ceb0923d8fefef4150a321f36aded666014053c43d3c6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwQi.exe

Filesize
438KB

MD5
b205760aa1df543ec63a50843c5c8b14

SHA1
95b4eceb0088d51143e63e336bbc4fb0bdeb0a4f

SHA256
c5e7f0c02e5fa58782f24ae769ee42bfe79ebdc3a2038d4cd6ba3c211d572834

SHA512
7764fae228b9cc10e0184de9bb9487cf8ca3ffa0d20cca53c2f427dba01dbb97933f9de705b962e6aa4c8a7ac0cc177f2b0857f965da9d5bbd5f7cd655f94321

Download Submit
C:\Users\Admin\AppData\Local\Temp\owQK.exe

Filesize
438KB

MD5
b1b680edc6e09b33de699aec855c32d3

SHA1
a5126c3d83d93ae8621eb6d9307da5cb85591600

SHA256
7b5d1931a41a8e0a48bee2179ca75ff2e93746e0bece6a20a0315dbdfba4fad8

SHA512
c4b0fce22a0b4e7e471c41f973520bd52223da41e1bd27e21d9d1a51dd597f999ceea1054f0197011bfa1a4a022f8c8422687fcf62c479b3c7d06a1aa07429e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pMMY.exe

Filesize
437KB

MD5
8f35b884a147673d7da9e7c5a31888d9

SHA1
929a85919e84c53a8535278dceee1329737301fd

SHA256
f3cb298f0be96257cfd0ee4245ee71d6f68716c179b1a094318a7994ee7f8a55

SHA512
cabf74d1b630a48130b3d127a08a925f68340c801656f9cee9350bf366405daf6a247500cb99aeafd7b15b1a1539c23e041c2fdb44e845424616b35c8f875859

Download Submit
C:\Users\Admin\AppData\Local\Temp\psMU.exe

Filesize
436KB

MD5
fa15605749afc7ee21b7a8eb9ee71ca4

SHA1
75cbdf38819f0474f3c40d55dc9e74e2404cec55

SHA256
fae325f571cc232397d603491e8ce4cd7672165f2642bca276e410f9580c9914

SHA512
a6a6f658f2851114986b2d2ba19490731ca93c3e86dff256ab8b7c9bda0716f99be4d4cb503b27d3d4c15c9760942ab0545f551f4540ef179fba5b28f5ff731d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAky.exe

Filesize
448KB

MD5
23f7c0e01eac212c98a9be8e92c05039

SHA1
bb09fce1fdeb681ebffdd815b3d2b600e98ddfbb

SHA256
aa0bda921e7db5bd8350bd7f695e966c05abcb921fdf9defee51517f9ab40a6b

SHA512
e741ae6ac5d15925685a93ae0b38362b8357729061f8787255a7578bedc80e958084a0a89fa27fad8f4067231389b4d499be1f2a860d5b9e6b3b78e3c91a308b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoQE.exe

Filesize
440KB

MD5
c6fbdcfae9610137b4c5aff309fe3403

SHA1
8cba9e128672b6c11296022172b28a72f3599a12

SHA256
937716db1ff01c289b315f811ec4440cab19c139ce6688aa33d67d826a3f049f

SHA512
f8ef55f4a152be9736011056a6f1a3b4a4c1972ea5494c925514fe54f0d4f06c6585d878b7f63ada3ed5d83f7c18e6d987ead636c2a14ebe163ef1aebbba0084

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsku.exe

Filesize
57KB

MD5
cd5a8d43ee6acb2417c90171f581b5fa

SHA1
1946823304c99f8c1761b1c3cc09083736a0511c

SHA256
95c214a720805eb6f7e4c8db62e02140f8c46e6b8a888519f4f6884064e0fa1d

SHA512
e32688ad4f436f88cda2e03765031b9adca79088f508f225426cf4f7be764c1a4f7bebacf986970fddafd4073a31d8fd6535638efe000c98c48bdae0e1f480cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkwE.exe

Filesize
734KB

MD5
3d2d7d8a877427557ad65f2923bbe693

SHA1
56de78817d9fb9ab8c29b78ea9486cec43773a1e

SHA256
02f374b0287076ce012b5a6240be740fc27a07f3449dcca31169437533a555a9

SHA512
42811215a225d449097dd5ab6ad30de7307c5e06a65112cbe2b580267374fc4fea6fa64b3b5c2b33d82bbfcb3c810bd1ec6cf15fd26fa7b23d7ac21bfdb02e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\tIoY.exe

Filesize
480KB

MD5
9af9623cb9ca8b4a25117ebddc4016b2

SHA1
69d1d181f7cc8e8fa3afb3025812e8478cb56d28

SHA256
9694e2b6a9bef347c01948b4656662a37a6244e606bddad853119801ae3ec8b8

SHA512
9d30603a308c52fdeb6bd385da40931826095a38fee9192630527f42feb045891e325702c4d7e2a87a31833c48f259635778c08408eaa415bb614407835ccbcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIMK.exe

Filesize
4.1MB

MD5
eabe8025206f44f478cc76ca073658bf

SHA1
1333bd4b046ac3d13ecd6a6d028ed0329895a573

SHA256
b6bfa3be5207b9d1a8612ed375fc74fc4b8fadaee37d3a7dfa8411df2f5dfd87

SHA512
78482f1671ab433f6a857e130b3e95fee5980945333059ae37352b6ae28dd14306e406f5e3a4c068e714da0023f00adadf9cf202b2579cb650843352f6c58905

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQcY.exe

Filesize
436KB

MD5
4cc8976198a333488460148e1baff5c1

SHA1
b0f2c6592f5e0c0e666c346cc2caa03689e2f557

SHA256
94a24fc52b0ae7fd5541b2e08b05075a13c0e78d3a544abd25f315dd954c6bc5

SHA512
709503d46953630c298bc15aa91230089b6acf5b7f384d197def10470bb202bf09b0c53049c636e5915e68bcc99c5c14784d79bd13392b4284c5d939c25480ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\xUsY.exe

Filesize
560KB

MD5
40682436f1a7f97aadc93f0234697f4e

SHA1
5031dcd6e5eb093a2c654bc263386381709878c1

SHA256
86b8e9a0985473962f2d82b34a2bb043dbeb5412b083a5e82c6051d535570513

SHA512
b25f79f0143a2d325a681d37436464f36a20790e4f2dfd2cd66aa803e23098e3a2d6db0f6bca076f6e61725b7105953312579d77cae0868de129a43d92ecc547

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIAC.exe

Filesize
438KB

MD5
561bcf36dfeed450d3e8787c38f24d88

SHA1
df29c270fac32a13b813391b7d28ac31630a2f83

SHA256
87b397420b7b6ede193a39b250c7b37ddd17b228ec3567d1830ff7e58fd4e38e

SHA512
e5ff15bad167741d84132cce0cefc013a1d2755e68dc92fc6d6f83185b27c605585162d5ca7b5e74302395844a317364a00d557762452181ae294f47470340af

Download Submit
C:\Users\Admin\GsMwcoIw\qKgooUgY.exe

Filesize
431KB

MD5
cfcc32f06037c6ae2c85e634507ec74e

SHA1
80e50d5c1f60dd129a4e7c8ba93bae391e46f643

SHA256
291b8a93bc8b89e807054ee103749fa8914ebccb8912d712f471af49c910f6e3

SHA512
102cb582afb25325252c08308dac2c94eaf0c0ca180941a2cd2920ab1b790a16d07f91d2d207f1b04c6ebc9899e057507fb82f10dff539609545ef3cf00de2df

Download Submit
memory/440-71-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/440-86-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/692-178-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/788-41-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/788-30-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1544-263-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1544-274-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1812-634-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1812-649-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2060-151-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2060-102-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2060-90-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2060-167-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2356-189-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2376-54-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2376-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2432-247-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2636-70-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2636-6-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2780-53-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2780-42-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2872-126-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2872-115-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2992-216-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3320-12-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3320-72-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3584-378-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3584-408-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3592-139-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3592-150-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3592-526-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3592-576-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4016-36-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4016-22-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4200-103-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4200-114-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4208-256-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4212-138-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4212-127-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4236-409-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4236-431-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4276-200-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4388-278-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4480-306-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4480-334-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4668-314-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4668-339-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4840-74-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4840-17-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4968-234-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5068-55-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5068-69-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5408-290-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5540-299-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5540-295-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5676-639-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5676-619-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5696-623-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5820-648-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5820-628-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6032-447-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6032-486-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6060-304-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6060-309-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download