dda1fc9e77bfd70b8d3d18cca9a4f91f95908c00da0e90bdb924694f656ed7bf

Analysis

max time kernel
38s
max time network
200s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
14/07/2024, 12:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

yfga_game.exe
Size

695KB
MD5

381533364081945e7f9d74b76f0c5a9e
SHA1

8eecd0b8f483753a6b3f2620db05e8ff5f01a048
SHA256

dda1fc9e77bfd70b8d3d18cca9a4f91f95908c00da0e90bdb924694f656ed7bf
SHA512

92180252a6cec3f2e831c07feaee6be56bac5fbddfa776db2c68ad8aaa591c6a8a6cbfc4b563b483671d9602c37501d2eaf23c4942c80db6c7a0230b3706dcb2
SSDEEP

6144:n/cEoPEMzHkY2QbqbHV7bJ/S6qbrOSMPEM6qCGdCPEMCGdM:xoPp56zZN3PVCGsP4G2

Score

8^/10

discovery exploit ransomware

Malware Config

Signatures

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
1584	takeown.exe
2952	icacls.exe
4964	takeown.exe
1788	icacls.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1584	takeown.exe
2952	icacls.exe
4964	takeown.exe
1788	icacls.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\Desktop\WallPaper = "C:\\Windows\\System32\\FeatureToastBulldogImg.png"	reg.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	explorer.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
27608	26984	Process not Found	2318
27516	27984	Process not Found	1052
36932	42476	Process not Found	1519
12116	42864	Process not Found	1534
32236	46368	Process not Found	1669
32068	41612	Process not Found	1485

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
5032	timeout.exe
4176	timeout.exe
22068	Process not Found

Kills process with taskkill 64 IoCs

evasion

pid	Process
54028	Process not Found
20524	Process not Found
6712	Process not Found
24676	taskkill.exe
38588	taskkill.exe
40528	taskkill.exe
38632	taskkill.exe
53980	Process not Found
26788	Process not Found
29532	Process not Found
3440	taskkill.exe
33044	taskkill.exe
38556	taskkill.exe
34700	taskkill.exe
40492	taskkill.exe
45176	taskkill.exe
51364	Process not Found
13644	taskkill.exe
24200	taskkill.exe
34724	taskkill.exe
54352	Process not Found
34676	taskkill.exe
40452	taskkill.exe
40616	taskkill.exe
22916	Process not Found
27768	Process not Found
18400	taskkill.exe
32944	taskkill.exe
45576	taskkill.exe
54360	Process not Found
3884	taskkill.exe
41072	taskkill.exe
53896	Process not Found
38168	taskkill.exe
51404	Process not Found
53996	Process not Found
10468	taskkill.exe
38564	taskkill.exe
45316	taskkill.exe
53972	Process not Found
4740	taskkill.exe
7792	taskkill.exe
53824	Process not Found
29572	Process not Found
25004	taskkill.exe
29044	taskkill.exe
51940	Process not Found
51504	Process not Found
53924	Process not Found
53988	Process not Found
6572	Process not Found
28332	taskkill.exe
32900	taskkill.exe
45400	taskkill.exe
38276	taskkill.exe
51412	Process not Found
29476	Process not Found
8028	taskkill.exe
14356	taskkill.exe
32964	taskkill.exe
54020	Process not Found
4020	taskkill.exe
34688	taskkill.exe
45392	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\Total = "603"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 560031000000000084580d6212004170704461746100400009000400efbe84580d6284580d622e00000099520100000001000000000000000000000000000000a184bb004100700070004400610074006100000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 500031000000000084583a6c100041646d696e003c0009000400efbe84580d6284583a6c2e0000008e520100000001000000000000000000000000000000b7b12801410064006d0069006e00000014000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 010000005d9d764ead7aa66ea7decc5c86be27f135fbdcf631b1dbbf324b342f2e491c3845ebbeb6f6303754e9db5d3f4d1547bee956544891946770e880	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0a788610e9d5da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\www.bing.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "124"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com\ = "603"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsVisitCount\url6 = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\NumberOfSubdomains = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = a600310000000000ee5849631000594647415f477e3100008e0009000400efbeee584963ee5849632e0000007bac0100000007000000000000000000000000000000adbd220079006600670061005f00670061006d0065005f00660063006500310039003300320037002d0061003800640034002d0034006500650033002d0061003300310066002d00640064003100360030003900390035006500310032003400000018000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsVisitCount\url5 = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com\ = "23"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\bing.com\NumberOfSubdomain = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com\ = "42411"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsVisitCount	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "643"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5088	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5088	explorer.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
792	MicrosoftEdgeCP.exe
792	MicrosoftEdgeCP.exe
792	MicrosoftEdgeCP.exe
792	MicrosoftEdgeCP.exe
792	MicrosoftEdgeCP.exe
792	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	1232	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1232	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1232	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1232	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4420	taskkill.exe
Token: SeDebugPrivilege	4892	taskkill.exe
Token: SeDebugPrivilege	4628	taskkill.exe
Token: SeShutdownPrivilege	3588	shutdown.exe
Token: SeRemoteShutdownPrivilege	3588	shutdown.exe
Token: SeDebugPrivilege	4300	taskkill.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	2988	taskkill.exe
Token: SeDebugPrivilege	3440	taskkill.exe
Token: SeDebugPrivilege	4296	taskkill.exe
Token: SeDebugPrivilege	4740	taskkill.exe
Token: SeDebugPrivilege	4020	taskkill.exe
Token: SeDebugPrivilege	3344	taskkill.exe
Token: SeDebugPrivilege	3884	taskkill.exe
Token: SeDebugPrivilege	3956	taskkill.exe
Token: SeDebugPrivilege	4068	taskkill.exe
Token: SeDebugPrivilege	5248	taskkill.exe
Token: SeDebugPrivilege	5240	taskkill.exe
Token: SeDebugPrivilege	5264	taskkill.exe
Token: SeDebugPrivilege	5504	taskkill.exe
Token: SeDebugPrivilege	5900	taskkill.exe
Token: SeDebugPrivilege	3956	taskkill.exe
Token: SeDebugPrivilege	6228	taskkill.exe
Token: SeDebugPrivilege	6472	taskkill.exe
Token: SeDebugPrivilege	7628	taskkill.exe
Token: SeDebugPrivilege	7792	taskkill.exe
Token: SeDebugPrivilege	8076	taskkill.exe
Token: SeDebugPrivilege	8028	taskkill.exe
Token: SeDebugPrivilege	8136	taskkill.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5088	explorer.exe
5088	explorer.exe
1336	MicrosoftEdge.exe
792	MicrosoftEdgeCP.exe
1232	MicrosoftEdgeCP.exe
792	MicrosoftEdgeCP.exe
4944	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 204	2228	yfga_game.exe	73
PID 2228 wrote to memory of 204	2228	yfga_game.exe	73
PID 2228 wrote to memory of 204	2228	yfga_game.exe	73
PID 2228 wrote to memory of 4212	2228	yfga_game.exe	74
PID 2228 wrote to memory of 4212	2228	yfga_game.exe	74
PID 2228 wrote to memory of 4212	2228	yfga_game.exe	74
PID 4212 wrote to memory of 5032	4212	cmd.exe	79
PID 4212 wrote to memory of 5032	4212	cmd.exe	79
PID 4212 wrote to memory of 5032	4212	cmd.exe	79
PID 792 wrote to memory of 4524	792	MicrosoftEdgeCP.exe	85
PID 792 wrote to memory of 4524	792	MicrosoftEdgeCP.exe	85
PID 792 wrote to memory of 4524	792	MicrosoftEdgeCP.exe	85
PID 792 wrote to memory of 4524	792	MicrosoftEdgeCP.exe	85
PID 792 wrote to memory of 4524	792	MicrosoftEdgeCP.exe	85
PID 792 wrote to memory of 4524	792	MicrosoftEdgeCP.exe	85
PID 4212 wrote to memory of 1584	4212	cmd.exe	88
PID 4212 wrote to memory of 1584	4212	cmd.exe	88
PID 4212 wrote to memory of 1584	4212	cmd.exe	88
PID 4212 wrote to memory of 2952	4212	cmd.exe	89
PID 4212 wrote to memory of 2952	4212	cmd.exe	89
PID 4212 wrote to memory of 2952	4212	cmd.exe	89
PID 4212 wrote to memory of 2948	4212	cmd.exe	90
PID 4212 wrote to memory of 2948	4212	cmd.exe	90
PID 4212 wrote to memory of 2948	4212	cmd.exe	90
PID 4212 wrote to memory of 4420	4212	cmd.exe	91
PID 4212 wrote to memory of 4420	4212	cmd.exe	91
PID 4212 wrote to memory of 4420	4212	cmd.exe	91
PID 4212 wrote to memory of 4892	4212	cmd.exe	93
PID 4212 wrote to memory of 4892	4212	cmd.exe	93
PID 4212 wrote to memory of 4892	4212	cmd.exe	93
PID 4212 wrote to memory of 4964	4212	cmd.exe	94
PID 4212 wrote to memory of 4964	4212	cmd.exe	94
PID 4212 wrote to memory of 4964	4212	cmd.exe	94
PID 4212 wrote to memory of 1788	4212	cmd.exe	95
PID 4212 wrote to memory of 1788	4212	cmd.exe	95
PID 4212 wrote to memory of 1788	4212	cmd.exe	95
PID 4212 wrote to memory of 4628	4212	cmd.exe	96
PID 4212 wrote to memory of 4628	4212	cmd.exe	96
PID 4212 wrote to memory of 4628	4212	cmd.exe	96
PID 4212 wrote to memory of 3588	4212	cmd.exe	97
PID 4212 wrote to memory of 3588	4212	cmd.exe	97
PID 4212 wrote to memory of 3588	4212	cmd.exe	97
PID 4212 wrote to memory of 4312	4212	cmd.exe	99
PID 4212 wrote to memory of 4312	4212	cmd.exe	99
PID 4212 wrote to memory of 4312	4212	cmd.exe	99
PID 4212 wrote to memory of 4176	4212	cmd.exe	100
PID 4212 wrote to memory of 4176	4212	cmd.exe	100
PID 4212 wrote to memory of 4176	4212	cmd.exe	100
PID 4312 wrote to memory of 1760	4312	cmd.exe	102
PID 4312 wrote to memory of 1760	4312	cmd.exe	102
PID 4312 wrote to memory of 1760	4312	cmd.exe	102
PID 1760 wrote to memory of 2952	1760	cmd.exe	104
PID 1760 wrote to memory of 2952	1760	cmd.exe	104
PID 1760 wrote to memory of 2952	1760	cmd.exe	104
PID 4312 wrote to memory of 2944	4312	cmd.exe	105
PID 4312 wrote to memory of 2944	4312	cmd.exe	105
PID 4312 wrote to memory of 2944	4312	cmd.exe	105
PID 2952 wrote to memory of 4420	2952	cmd.exe	107
PID 2952 wrote to memory of 4420	2952	cmd.exe	107
PID 2952 wrote to memory of 4420	2952	cmd.exe	107
PID 1760 wrote to memory of 4196	1760	cmd.exe	108
PID 1760 wrote to memory of 4196	1760	cmd.exe	108
PID 1760 wrote to memory of 4196	1760	cmd.exe	108
PID 1760 wrote to memory of 4300	1760	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\yfga_game.exe
"C:\Users\Admin\AppData\Local\Temp\yfga_game.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124
  2⤵
  PID:204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\YFGA.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\SysWOW64\timeout.exe
    timeout 24
    3⤵
    - Delays execution with timeout.exe
    PID:5032
- - C:\Windows\SysWOW64\takeown.exe
    takeown C:\Windows\System32\logonui.exe Admin
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1584
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\System32\logonui.exe Grant:\Admin
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2952
- - C:\Windows\SysWOW64\reg.exe
    reg import reg.reg
    3⤵
    - Sets desktop wallpaper using registry
    PID:2948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im fontdrvhost.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4420
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im TextInputhost.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4892
- - C:\Windows\SysWOW64\takeown.exe
    takeown C:\Windows\explorer.exe Admin
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4964
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\explorer.exe Grant:\Admin
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4628
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /r /o /t 300 /c "HAHA I HACKED YOU AYFGA ROCKS YOU"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K spam.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K spam.bat
      4⤵
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        5⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        6⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        7⤵
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        8⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        9⤵
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        10⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        11⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        12⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        13⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        14⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        15⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        16⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        17⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        18⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        19⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        20⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        21⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        22⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        23⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        24⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        25⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        26⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        27⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        28⤵
        
        PID:10084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        29⤵
        
        PID:10124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        30⤵
        
        PID:10684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        31⤵
        
        PID:11028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        32⤵
        
        PID:11320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        33⤵
        
        PID:11748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        34⤵
        
        PID:12212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        35⤵
        
        PID:12372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        36⤵
        
        PID:12812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        37⤵
        
        PID:13124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        38⤵
        
        PID:13400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        39⤵
        
        PID:13708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        40⤵
        
        PID:14700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        41⤵
        
        PID:14980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        42⤵
        
        PID:15564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        43⤵
        
        PID:15992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        44⤵
        
        PID:15408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        45⤵
        
        PID:16732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        46⤵
        
        PID:17140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        47⤵
        
        PID:17496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        48⤵
        
        PID:17988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        49⤵
        
        PID:18332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        50⤵
        
        PID:18068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        51⤵
        
        PID:18728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        52⤵
        
        PID:19336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        53⤵
        
        PID:19724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        54⤵
        
        PID:20060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        55⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        56⤵
        
        PID:21012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        57⤵
        
        PID:21748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        58⤵
        
        PID:22336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        59⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        60⤵
        
        PID:22884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        61⤵
        
        PID:23356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        62⤵
        
        PID:23304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        63⤵
        
        PID:24184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        64⤵
        
        PID:24728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        65⤵
        
        PID:25288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        66⤵
        
        PID:25664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        67⤵
        
        PID:26220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        68⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        69⤵
        
        PID:27124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        70⤵
        
        PID:26784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        71⤵
        
        PID:27984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        72⤵
        
        PID:28964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        73⤵
        
        PID:29352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        74⤵
        
        PID:29648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        75⤵
        
        PID:30288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        76⤵
        
        PID:30884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        77⤵
        
        PID:31312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        78⤵
        
        PID:31896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        79⤵
        
        PID:33412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        80⤵
        
        PID:33768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        81⤵
        
        PID:33832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        82⤵
        
        PID:34944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        83⤵
        
        PID:10256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        84⤵
        
        PID:39724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        85⤵
        
        PID:41020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        86⤵
        
        PID:41664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        87⤵
        
        PID:42016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        88⤵
        
        PID:43068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        89⤵
        
        PID:43516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        90⤵
        
        PID:44096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        91⤵
        
        PID:44912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        92⤵
        
        PID:45868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        93⤵
        
        PID:46312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        94⤵
        
        PID:47776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        95⤵
        
        PID:48304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        96⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        36⤵
        
        PID:44392
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        36⤵
        Kills process with taskkill
        
        PID:45400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        35⤵
        
        PID:44376
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        35⤵
        
        PID:45356
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        34⤵
        
        PID:44328
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        34⤵
        
        PID:44864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        33⤵
        
        PID:40372
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        33⤵
        
        PID:10468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        32⤵
        
        PID:40396
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        32⤵
        Kills process with taskkill
        
        PID:41072
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        31⤵
        
        PID:40000
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        31⤵
        Kills process with taskkill
        
        PID:40492
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        30⤵
        
        PID:36884
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        30⤵
        
        PID:38208
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        29⤵
        
        PID:36868
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        29⤵
        Kills process with taskkill
        
        PID:38632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        28⤵
        
        PID:34004
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        28⤵
        
        PID:34636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        27⤵
        
        PID:32156
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        27⤵
        
        PID:32208
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        26⤵
        
        PID:32132
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        26⤵
        
        PID:32972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        25⤵
        
        PID:15028
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        25⤵
        
        PID:29036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        24⤵
        
        PID:28608
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        24⤵
        
        PID:28648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        23⤵
        
        PID:28636
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        23⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        22⤵
        
        PID:24496
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        22⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        21⤵
        
        PID:24560
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        21⤵
        
        PID:10428
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        20⤵
        
        PID:21248
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        20⤵
        
        PID:21296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        19⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        19⤵
        
        PID:21104
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        18⤵
        
        PID:20392
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        18⤵
        
        PID:20436
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        17⤵
        
        PID:17772
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        17⤵
        Kills process with taskkill
        
        PID:18400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        16⤵
        
        PID:14840
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        16⤵
        
        PID:14884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        15⤵
        
        PID:13800
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        15⤵
        
        PID:14252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        14⤵
        
        PID:12020
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        14⤵
        
        PID:12096
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        13⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        13⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im regedit.exe
        13⤵
        
        PID:38368
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        12⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        12⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7628
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im regedit.exe
        12⤵
        
        PID:23184
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        11⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3956
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im regedit.exe
        11⤵
        
        PID:12604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        10⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4068
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im regedit.exe
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6228
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy2.vbs"
        10⤵
        
        PID:16152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        10⤵
        
        PID:16216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        11⤵
        
        PID:16440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        12⤵
        
        PID:17108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        13⤵
        
        PID:17404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        14⤵
        
        PID:17728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        15⤵
        
        PID:18220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        16⤵
        
        PID:19044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        17⤵
        
        PID:19056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        18⤵
        
        PID:20244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        19⤵
        
        PID:20860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        20⤵
        
        PID:21384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        21⤵
        
        PID:21832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        22⤵
        
        PID:22544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        23⤵
        
        PID:23116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        24⤵
        
        PID:23528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        25⤵
        
        PID:23588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        26⤵
        
        PID:23824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        27⤵
        
        PID:24072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        28⤵
        
        PID:24752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        29⤵
        
        PID:25192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        30⤵
        
        PID:25620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        31⤵
        
        PID:26140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        32⤵
        
        PID:25700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        33⤵
        
        PID:26988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        34⤵
        
        PID:27256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        35⤵
        
        PID:28236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        36⤵
        
        PID:28772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        37⤵
        
        PID:29692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        38⤵
        
        PID:29972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        39⤵
        
        PID:30832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        40⤵
        
        PID:31616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        41⤵
        
        PID:32712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        42⤵
        
        PID:33316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        43⤵
        
        PID:33988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        44⤵
        
        PID:34476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        45⤵
        
        PID:31548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        46⤵
        
        PID:39652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        47⤵
        
        PID:40700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        48⤵
        
        PID:41348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        49⤵
        
        PID:41716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        50⤵
        
        PID:42304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        51⤵
        
        PID:42692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        52⤵
        
        PID:43172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        53⤵
        
        PID:43864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        54⤵
        
        PID:45028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        55⤵
        
        PID:45968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        56⤵
        
        PID:46392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        57⤵
        
        PID:47116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        58⤵
        
        PID:47716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        59⤵
        
        PID:48632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        60⤵
        
        PID:48876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        10⤵
        
        PID:21000
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        10⤵
        
        PID:21024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        9⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3344
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im regedit.exe
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5504
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy2.vbs"
        9⤵
        
        PID:11576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        9⤵
        
        PID:11604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        10⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        11⤵
        
        PID:12560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        12⤵
        
        PID:13056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        13⤵
        
        PID:12484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        14⤵
        
        PID:13600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        15⤵
        
        PID:14184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        16⤵
        
        PID:14576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        17⤵
        
        PID:15124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        18⤵
        
        PID:15308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        19⤵
        
        PID:15816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        20⤵
        
        PID:16164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        21⤵
        
        PID:16432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        22⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        23⤵
        
        PID:17928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        24⤵
        
        PID:18436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        25⤵
        
        PID:18640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        26⤵
        
        PID:19064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        27⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        28⤵
        
        PID:19756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        29⤵
        
        PID:20584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        30⤵
        
        PID:21056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        31⤵
        
        PID:21100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        32⤵
        
        PID:22000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        33⤵
        
        PID:22280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        34⤵
        
        PID:22028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        35⤵
        
        PID:23012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        36⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        37⤵
        
        PID:24476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        38⤵
        
        PID:25184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        39⤵
        
        PID:25496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        40⤵
        
        PID:25764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        41⤵
        
        PID:26228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        42⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        43⤵
        
        PID:26968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        44⤵
        
        PID:27304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        45⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        46⤵
        
        PID:28104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        47⤵
        
        PID:28712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        48⤵
        
        PID:29856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        49⤵
        
        PID:30256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        50⤵
        
        PID:30668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        51⤵
        
        PID:30920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        52⤵
        
        PID:31492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        53⤵
        
        PID:31728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        54⤵
        
        PID:33012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        55⤵
        
        PID:33540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        56⤵
        
        PID:33632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        57⤵
        
        PID:33800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        58⤵
        
        PID:35060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        59⤵
        
        PID:38140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        60⤵
        
        PID:39772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        61⤵
        
        PID:41196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        62⤵
        
        PID:41868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        63⤵
        
        PID:42044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        64⤵
        
        PID:43060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        65⤵
        
        PID:43524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        66⤵
        
        PID:43600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        67⤵
        
        PID:44792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        68⤵
        
        PID:45496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        69⤵
        
        PID:46260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        70⤵
        
        PID:46828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        71⤵
        
        PID:47876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        72⤵
        
        PID:48684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        73⤵
        
        PID:48976
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        12⤵
        
        PID:44432
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        12⤵
        Kills process with taskkill
        
        PID:45576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        11⤵
        
        PID:44416
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        11⤵
        
        PID:45364
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        10⤵
        
        PID:40548
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        10⤵
        
        PID:40784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        9⤵
        
        PID:14032
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        9⤵
        
        PID:14068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        8⤵
        
        PID:60
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4020
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im regedit.exe
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy2.vbs"
        8⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        8⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        9⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        10⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        11⤵
        
        PID:10316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        12⤵
        
        PID:10716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        13⤵
        
        PID:11040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        14⤵
        
        PID:11352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        15⤵
        
        PID:11780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        16⤵
        
        PID:12184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        17⤵
        
        PID:12508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        18⤵
        
        PID:12980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        19⤵
        
        PID:13344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        20⤵
        
        PID:13664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        21⤵
        
        PID:14044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        22⤵
        
        PID:14272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        23⤵
        
        PID:15280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        24⤵
        
        PID:15500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        25⤵
        
        PID:15712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        26⤵
        
        PID:16088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        27⤵
        
        PID:16420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        28⤵
        
        PID:16780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        29⤵
        
        PID:17068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        30⤵
        
        PID:17396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        31⤵
        
        PID:17908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        32⤵
        
        PID:18620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        33⤵
        
        PID:19100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        34⤵
        
        PID:19648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        35⤵
        
        PID:20068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        36⤵
        
        PID:20328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        37⤵
        
        PID:20896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        38⤵
        
        PID:21464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        39⤵
        
        PID:21724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        40⤵
        
        PID:22096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        41⤵
        
        PID:21444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        42⤵
        
        PID:22812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        43⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        44⤵
        
        PID:23832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        45⤵
        
        PID:24340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        46⤵
        
        PID:24660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        47⤵
        
        PID:25116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        48⤵
        
        PID:25544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        49⤵
        
        PID:26120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        50⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        51⤵
        
        PID:27004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        52⤵
        
        PID:27296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        53⤵
        
        PID:26656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        54⤵
        
        PID:27868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        55⤵
        
        PID:28816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        56⤵
        
        PID:29300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        57⤵
        
        PID:28916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        58⤵
        
        PID:29952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        59⤵
        
        PID:30384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        60⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        61⤵
        
        PID:31660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        62⤵
        
        PID:32336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        63⤵
        
        PID:32676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        64⤵
        
        PID:33720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        65⤵
        
        PID:33852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        66⤵
        
        PID:34532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        67⤵
        
        PID:38420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        68⤵
        
        PID:36220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        69⤵
        
        PID:39580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        70⤵
        
        PID:40484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        71⤵
        
        PID:40984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        72⤵
        
        PID:41844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        73⤵
        
        PID:42084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        74⤵
        
        PID:42864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        75⤵
        
        PID:43160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        76⤵
        
        PID:43468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        77⤵
        
        PID:44176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        78⤵
        
        PID:46208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        79⤵
        
        PID:46756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        80⤵
        
        PID:47288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        81⤵
        
        PID:47644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        82⤵
        
        PID:48064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        83⤵
        
        PID:48248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        84⤵
        
        PID:20020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        18⤵
        
        PID:44448
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        18⤵
        
        PID:45348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        17⤵
        
        PID:44368
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        17⤵
        
        PID:45168
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        16⤵
        
        PID:44320
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        16⤵
        Kills process with taskkill
        
        PID:45176
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        15⤵
        
        PID:40476
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        15⤵
        
        PID:40744
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        14⤵
        
        PID:40428
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        14⤵
        
        PID:40812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        13⤵
        
        PID:40160
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        13⤵
        
        PID:40900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        12⤵
        
        PID:36900
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        12⤵
        
        PID:38580
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        11⤵
        
        PID:36916
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        11⤵
        
        PID:38200
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        10⤵
        
        PID:34140
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        10⤵
        
        PID:34440
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        9⤵
        
        PID:34116
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        9⤵
        
        PID:34664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        8⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        8⤵
        
        PID:10256
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im regedit.exe
        8⤵
        
        PID:38540
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        7⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3440
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im regedit.exe
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy2.vbs"
        7⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        7⤵
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        8⤵
        Modifies registry class
        
        PID:6308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        9⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        10⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        11⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        12⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        13⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        14⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        15⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        16⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        17⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        18⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        19⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        20⤵
        
        PID:9272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        21⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        22⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        23⤵
        
        PID:10452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        24⤵
        
        PID:10876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        25⤵
        
        PID:11100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        26⤵
        
        PID:11804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        27⤵
        
        PID:12620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        28⤵
        
        PID:13112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        29⤵
        
        PID:12700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        30⤵
        
        PID:13588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        31⤵
        
        PID:14232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        32⤵
        
        PID:14656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        33⤵
        
        PID:15436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        34⤵
        
        PID:16272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        35⤵
        
        PID:16620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        36⤵
        
        PID:16980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        37⤵
        
        PID:17308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        38⤵
        
        PID:17708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        39⤵
        
        PID:18260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        40⤵
        
        PID:18476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        41⤵
        
        PID:18756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        42⤵
        
        PID:19328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        43⤵
        
        PID:19848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        44⤵
        
        PID:20280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        45⤵
        
        PID:20944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        46⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        47⤵
        
        PID:21968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        48⤵
        
        PID:22452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        49⤵
        
        PID:22740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        50⤵
        
        PID:23336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        51⤵
        
        PID:23008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        52⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        52⤵
        
        PID:24208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        53⤵
        
        PID:24592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        54⤵
        
        PID:24980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        55⤵
        
        PID:25504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        56⤵
        
        PID:25656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        57⤵
        
        PID:26180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        58⤵
        
        PID:25484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        59⤵
        
        PID:27080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        60⤵
        
        PID:27036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        61⤵
        
        PID:27884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        62⤵
        
        PID:28692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        63⤵
        
        PID:29564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        64⤵
        
        PID:30108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        65⤵
        
        PID:30368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        66⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        67⤵
        
        PID:31340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        68⤵
        
        PID:32008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        69⤵
        
        PID:32448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        70⤵
        
        PID:31688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        71⤵
        
        PID:33288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        72⤵
        
        PID:33644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        73⤵
        
        PID:34280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        74⤵
        
        PID:35184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        75⤵
        
        PID:38516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        76⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        77⤵
        
        PID:39604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        78⤵
        
        PID:40756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        79⤵
        
        PID:41388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        80⤵
        
        PID:41404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        81⤵
        
        PID:42708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        82⤵
        
        PID:42116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        83⤵
        
        PID:43636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        84⤵
        
        PID:14944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        85⤵
        
        PID:44808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        86⤵
        
        PID:45900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        87⤵
        
        PID:47208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        88⤵
        
        PID:48220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        89⤵
        
        PID:48560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        90⤵
        
        PID:48716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        91⤵
        
        PID:49092
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        31⤵
        
        PID:44360
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        31⤵
        Kills process with taskkill
        
        PID:45392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        27⤵
        
        PID:44456
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        27⤵
        
        PID:45324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        26⤵
        
        PID:44440
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        26⤵
        
        PID:45384
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        25⤵
        
        PID:40124
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        25⤵
        Kills process with taskkill
        
        PID:40616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        24⤵
        
        PID:40040
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        24⤵
        Kills process with taskkill
        
        PID:40528
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        23⤵
        
        PID:34196
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        23⤵
        Kills process with taskkill
        
        PID:34676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        22⤵
        
        PID:36908
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        22⤵
        
        PID:38160
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        21⤵
        
        PID:34124
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        21⤵
        Kills process with taskkill
        
        PID:34724
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        20⤵
        
        PID:32164
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        20⤵
        
        PID:32956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        19⤵
        
        PID:32124
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        19⤵
        Kills process with taskkill
        
        PID:32964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        18⤵
        
        PID:28664
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        18⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        17⤵
        
        PID:28552
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        17⤵
        
        PID:29168
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        16⤵
        
        PID:10432
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        16⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        15⤵
        
        PID:24404
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        15⤵
        
        PID:24436
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        14⤵
        
        PID:24424
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        14⤵
        
        PID:24464
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        13⤵
        
        PID:20540
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        13⤵
        
        PID:20612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        12⤵
        
        PID:19752
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        12⤵
        
        PID:14000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        11⤵
        
        PID:17780
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        11⤵
        
        PID:17872
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        10⤵
        
        PID:14612
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        10⤵
        
        PID:14636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        9⤵
        
        PID:13832
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        9⤵
        
        PID:14340
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        8⤵
        
        PID:13816
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        8⤵
        Kills process with taskkill
        
        PID:14356
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        7⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6472
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im regedit.exe
        7⤵
        
        PID:18112
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        6⤵
        
        PID:1628
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im regedit.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3884
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy2.vbs"
        6⤵
        
        PID:5572
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        6⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        7⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        8⤵
        
        PID:5216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        9⤵
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        10⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        11⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        12⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        13⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        14⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        15⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        16⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        17⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        18⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        19⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        20⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        21⤵
        
        PID:9772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        22⤵
        
        PID:10544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        23⤵
        
        PID:10832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        24⤵
        
        PID:11236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        25⤵
        
        PID:11328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        26⤵
        
        PID:11764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        27⤵
        
        PID:12460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        28⤵
        
        PID:12944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        29⤵
        
        PID:13548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        30⤵
        
        PID:14496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        31⤵
        
        PID:14972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        32⤵
        
        PID:15340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        33⤵
        
        PID:15736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        34⤵
        
        PID:16076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        35⤵
        
        PID:16852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        36⤵
        
        PID:17244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        37⤵
        
        PID:17672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        38⤵
        
        PID:18452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        39⤵
        
        PID:18744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        40⤵
        
        PID:19360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        41⤵
        
        PID:20096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        42⤵
        
        PID:20528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        43⤵
        
        PID:21180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        44⤵
        
        PID:21656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        45⤵
        
        PID:22364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        46⤵
        
        PID:22612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        47⤵
        
        PID:23196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        48⤵
        
        PID:23540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        49⤵
        
        PID:23768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        50⤵
        
        PID:24092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        51⤵
        
        PID:24788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        52⤵
        
        PID:25104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        53⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        54⤵
        
        PID:26040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        55⤵
        
        PID:26456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        56⤵
        
        PID:26884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        57⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        58⤵
        
        PID:28172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        59⤵
        
        PID:28404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        60⤵
        
        PID:29332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        61⤵
        
        PID:28704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        62⤵
        
        PID:30420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        63⤵
        
        PID:30752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        64⤵
        
        PID:31304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        65⤵
        
        PID:31624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        66⤵
        
        PID:32104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        67⤵
        
        PID:32564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        68⤵
        
        PID:33128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        69⤵
        
        PID:33592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        70⤵
        
        PID:34244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        71⤵
        
        PID:38116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        72⤵
        
        PID:39072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        73⤵
        
        PID:39844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        74⤵
        
        PID:41408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        75⤵
        
        PID:41812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        76⤵
        
        PID:42288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        77⤵
        
        PID:42740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        78⤵
        
        PID:43200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        79⤵
        
        PID:43620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        80⤵
        
        PID:43928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        81⤵
        
        PID:44280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        82⤵
        
        PID:45800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        83⤵
        
        PID:46400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        84⤵
        
        PID:46984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        85⤵
        
        PID:48176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        86⤵
        
        PID:49148
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        28⤵
        
        PID:44384
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        28⤵
        
        PID:45464
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        27⤵
        
        PID:44400
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        27⤵
        
        PID:45184
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        26⤵
        
        PID:40360
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        26⤵
        
        PID:40692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        25⤵
        
        PID:40320
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        25⤵
        
        PID:10516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        24⤵
        
        PID:40252
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        24⤵
        
        PID:40928
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        23⤵
        
        PID:36948
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        23⤵
        
        PID:38528
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        22⤵
        
        PID:36940
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        22⤵
        Kills process with taskkill
        
        PID:38168
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        21⤵
        
        PID:34148
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        21⤵
        
        PID:34736
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        20⤵
        
        PID:32180
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        20⤵
        
        PID:32996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        19⤵
        
        PID:32112
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        19⤵
        
        PID:32980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        18⤵
        
        PID:28560
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        18⤵
        
        PID:28596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        17⤵
        
        PID:32172
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        17⤵
        Kills process with taskkill
        
        PID:32944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        16⤵
        
        PID:13920
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        16⤵
        Kills process with taskkill
        
        PID:25004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        15⤵
        
        PID:24148
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        15⤵
        Kills process with taskkill
        
        PID:24200
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        14⤵
        
        PID:20724
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        14⤵
        
        PID:20764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        13⤵
        
        PID:20484
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        13⤵
        
        PID:20708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        12⤵
        
        PID:17740
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        12⤵
        
        PID:18304
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        11⤵
        
        PID:17744
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        11⤵
        
        PID:17832
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        10⤵
        
        PID:13992
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        10⤵
        
        PID:14012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        9⤵
        
        PID:13792
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        9⤵
        Kills process with taskkill
        
        PID:13644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        8⤵
        
        PID:12072
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        8⤵
        
        PID:12308
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        7⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        7⤵
        
        PID:10068
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im regedit.exe
        7⤵
        Kills process with taskkill
        
        PID:38556
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        6⤵
        
        PID:5840
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5900
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im regedit.exe
        6⤵
        
        PID:12268
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        5⤵
        
        PID:4196
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im regedit.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy2.vbs"
        5⤵
        
        PID:1544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        5⤵
        
        PID:3516
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        6⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        7⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        8⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        9⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        10⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        11⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        12⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        13⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        14⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        15⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        16⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        17⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        18⤵
        
        PID:9364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        19⤵
        
        PID:9864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        20⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        21⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        22⤵
        
        PID:11184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        23⤵
        
        PID:10556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        24⤵
        
        PID:11544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        25⤵
        
        PID:11788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        26⤵
        
        PID:12236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        27⤵
        
        PID:12392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        28⤵
        
        PID:12772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        29⤵
        
        PID:13080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        30⤵
        
        PID:13608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        31⤵
        
        PID:14192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        32⤵
        
        PID:14692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        33⤵
        
        PID:15008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        34⤵
        
        PID:15300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        35⤵
        
        PID:15576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        36⤵
        
        PID:15940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        37⤵
        
        PID:15788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        38⤵
        
        PID:17332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        39⤵
        
        PID:17628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        40⤵
        
        PID:18324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        41⤵
        
        PID:18680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        42⤵
        
        PID:19108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        43⤵
        
        PID:19412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        44⤵
        
        PID:19892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        45⤵
        
        PID:20700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        46⤵
        
        PID:21228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        47⤵
        
        PID:21756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        48⤵
        
        PID:22088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        49⤵
        
        PID:21544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        50⤵
        
        PID:22784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        51⤵
        
        PID:23364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        52⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        53⤵
        
        PID:23732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        54⤵
        
        PID:24100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        55⤵
        
        PID:24508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        56⤵
        
        PID:25052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        57⤵
        
        PID:25436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        58⤵
        
        PID:25704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        59⤵
        
        PID:26288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        60⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        61⤵
        
        PID:27236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        62⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        63⤵
        
        PID:28340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        64⤵
        
        PID:29400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        65⤵
        
        PID:29136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        66⤵
        
        PID:30084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        67⤵
        
        PID:30432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        68⤵
        
        PID:29900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        69⤵
        
        PID:31020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        70⤵
        
        PID:30780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        71⤵
        
        PID:31940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        72⤵
        
        PID:32460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        73⤵
        
        PID:33180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        74⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        75⤵
        
        PID:34580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        76⤵
        
        PID:38752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        77⤵
        
        PID:39132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        78⤵
        
        PID:40236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        79⤵
        
        PID:40964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        80⤵
        
        PID:42148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        81⤵
        
        PID:42916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        82⤵
        
        PID:43608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        83⤵
        
        PID:43996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        84⤵
        
        PID:44292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        85⤵
        
        PID:45488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        86⤵
        
        PID:47200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        87⤵
        
        PID:48016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        88⤵
        
        PID:48256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        89⤵
        
        PID:48668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        90⤵
        
        PID:11376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        29⤵
        
        PID:44480
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        29⤵
        
        PID:45516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        28⤵
        
        PID:44408
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        28⤵
        Kills process with taskkill
        
        PID:45316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        27⤵
        
        PID:44464
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        27⤵
        
        PID:45508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        26⤵
        
        PID:44336
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        26⤵
        
        PID:45216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        25⤵
        
        PID:37812
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        25⤵
        Kills process with taskkill
        
        PID:38564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        24⤵
        
        PID:40332
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        24⤵
        
        PID:40680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        23⤵
        
        PID:40092
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        23⤵
        
        PID:40920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        22⤵
        
        PID:40276
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        22⤵
        
        PID:40656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        21⤵
        
        PID:36876
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        21⤵
        
        PID:38152
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        20⤵
        
        PID:34164
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        20⤵
        Kills process with taskkill
        
        PID:34688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        19⤵
        
        PID:36924
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        19⤵
        
        PID:38600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        18⤵
        
        PID:32140
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        18⤵
        
        PID:32988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        17⤵
        
        PID:11580
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        17⤵
        
        PID:25908
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        16⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        16⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        15⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        15⤵
        Kills process with taskkill
        
        PID:29044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        14⤵
        
        PID:20632
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        14⤵
        
        PID:21260
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        13⤵
        
        PID:19436
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        13⤵
        
        PID:20232
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        12⤵
        
        PID:15152
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        12⤵
        
        PID:15188
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        11⤵
        
        PID:13900
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        11⤵
        
        PID:13944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        10⤵
        
        PID:13808
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        10⤵
        
        PID:14348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        9⤵
        
        PID:12028
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        9⤵
        
        PID:12052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        8⤵
        
        PID:10184
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        8⤵
        
        PID:10228
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im regedit.exe
        8⤵
        
        PID:38572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        7⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        7⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im regedit.exe
        7⤵
        Kills process with taskkill
        
        PID:33044
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        6⤵
        
        PID:8048
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:8136
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im regedit.exe
        6⤵
        Kills process with taskkill
        
        PID:28332
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        5⤵
        
        PID:5220
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5240
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im regedit.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7792
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy2.vbs"
        5⤵
        
        PID:27576
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        5⤵
        
        PID:28804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        6⤵
        
        PID:29484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        7⤵
        
        PID:29884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        8⤵
        
        PID:30700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        9⤵
        
        PID:31252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        10⤵
        
        PID:31856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        11⤵
        
        PID:32364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        12⤵
        
        PID:32636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        13⤵
        
        PID:33212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        14⤵
        
        PID:33884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        15⤵
        
        PID:35300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        16⤵
        
        PID:9936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:10068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        17⤵
        
        PID:39632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        18⤵
        
        PID:41260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        19⤵
        
        PID:41644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        20⤵
        
        PID:42024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        21⤵
        
        PID:42532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        22⤵
        
        PID:42956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        23⤵
        
        PID:43484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        24⤵
        
        PID:44712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        25⤵
        
        PID:46368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        26⤵
        
        PID:47032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        27⤵
        
        PID:47352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        28⤵
        
        PID:47596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        29⤵
        
        PID:48188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        30⤵
        
        PID:11052
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        5⤵
        
        PID:34852
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        5⤵
        
        PID:38284
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
      4⤵
      PID:2944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2888
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im regedit.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4296
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy2.vbs"
      4⤵
      PID:3328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K spam.bat
      4⤵
      PID:5132
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        5⤵
        
        PID:5368
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        6⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        7⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        8⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        9⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        10⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        11⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        12⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        13⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        14⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        15⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        16⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        17⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        18⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        19⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        20⤵
        
        PID:9732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        21⤵
        
        PID:10616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        22⤵
        
        PID:10892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        23⤵
        
        PID:11144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        24⤵
        
        PID:11268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        25⤵
        
        PID:11596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        26⤵
        
        PID:12176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        27⤵
        
        PID:12356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        28⤵
        
        PID:12708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        29⤵
        
        PID:13040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        30⤵
        
        PID:13972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        31⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        32⤵
        
        PID:14776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        33⤵
        
        PID:15456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        34⤵
        
        PID:15744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        35⤵
        
        PID:16048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        36⤵
        
        PID:16528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        37⤵
        
        PID:16772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        38⤵
        
        PID:17060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        39⤵
        
        PID:17540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        40⤵
        
        PID:17968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        41⤵
        
        PID:18872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        42⤵
        
        PID:19368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        43⤵
        
        PID:19692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        44⤵
        
        PID:20204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        45⤵
        
        PID:20548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        46⤵
        
        PID:21420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        47⤵
        
        PID:21684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        48⤵
        
        PID:22232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        49⤵
        
        PID:22464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        50⤵
        
        PID:22776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        51⤵
        
        PID:22984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        52⤵
        
        PID:14056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        53⤵
        
        PID:23576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        54⤵
        
        PID:24004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        55⤵
        
        PID:23804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        56⤵
        
        PID:25132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        57⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        58⤵
        
        PID:26172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        59⤵
        
        PID:26200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        60⤵
        
        PID:27360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        61⤵
        
        PID:27172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        62⤵
        
        PID:28200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        63⤵
        
        PID:28136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        64⤵
        
        PID:29424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        65⤵
        
        PID:28536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        66⤵
        
        PID:30652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        67⤵
        
        PID:31204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        68⤵
        
        PID:31836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        69⤵
        
        PID:32508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        70⤵
        
        PID:33172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        71⤵
        
        PID:33820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        72⤵
        
        PID:35288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        73⤵
        
        PID:38652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        74⤵
        
        PID:39088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        75⤵
        
        PID:39564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        76⤵
        
        PID:40992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        77⤵
        
        PID:41620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        78⤵
        
        PID:42064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        79⤵
        
        PID:42496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        80⤵
        
        PID:42848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        81⤵
        
        PID:43272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        82⤵
        
        PID:43960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        83⤵
        
        PID:45280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        84⤵
        
        PID:45748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        85⤵
        
        PID:46748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        86⤵
        
        PID:47252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        87⤵
        
        PID:47792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        88⤵
        
        PID:48752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        89⤵
        
        PID:49108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        29⤵
        
        PID:44424
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        29⤵
        
        PID:45456
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        28⤵
        
        PID:44344
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        28⤵
        
        PID:45340
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        27⤵
        
        PID:44348
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        27⤵
        
        PID:45332
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        26⤵
        
        PID:40504
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        26⤵
        
        PID:40536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        25⤵
        
        PID:40188
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        25⤵
        
        PID:40260
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        24⤵
        
        PID:39976
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        24⤵
        Kills process with taskkill
        
        PID:40452
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        23⤵
        
        PID:39960
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        23⤵
        
        PID:40840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        22⤵
        
        PID:40064
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        22⤵
        
        PID:40912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        21⤵
        
        PID:36892
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        21⤵
        
        PID:38460
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        20⤵
        
        PID:34132
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        20⤵
        Kills process with taskkill
        
        PID:34700
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        19⤵
        
        PID:34156
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        19⤵
        
        PID:34712
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        18⤵
        
        PID:36932
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        18⤵
        
        PID:38624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        17⤵
        
        PID:32148
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        17⤵
        
        PID:33004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        16⤵
        
        PID:28572
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        16⤵
        
        PID:28620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        15⤵
        
        PID:32188
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        15⤵
        Kills process with taskkill
        
        PID:32900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        14⤵
        
        PID:24448
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        14⤵
        
        PID:24484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        13⤵
        
        PID:24216
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        13⤵
        Kills process with taskkill
        
        PID:24676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        12⤵
        
        PID:20752
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        12⤵
        
        PID:21160
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        11⤵
        
        PID:204
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        11⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        10⤵
        
        PID:14560
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        10⤵
        
        PID:14584
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        9⤵
        
        PID:13824
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        9⤵
        
        PID:14088
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        8⤵
        
        PID:12036
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        8⤵
        
        PID:12300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        7⤵
        
        PID:10428
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        7⤵
        Kills process with taskkill
        
        PID:10468
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im regedit.exe
        7⤵
        
        PID:40956
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        6⤵
        
        PID:9524
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        6⤵
        
        PID:9896
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im regedit.exe
        6⤵
        Kills process with taskkill
        
        PID:38276
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
        5⤵
        
        PID:8056
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:8076
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im regedit.exe
        5⤵
        
        PID:26436
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
      4⤵
      PID:5232
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5264
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im regedit.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:8028
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy2.vbs"
      4⤵
      PID:32436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K spam.bat
      4⤵
      PID:9008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        5⤵
        
        PID:34484
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        6⤵
        
        PID:15152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        7⤵
        
        PID:39908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        8⤵
        
        PID:41220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        9⤵
        
        PID:41612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        10⤵
        
        PID:42476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        11⤵
        
        PID:42812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        12⤵
        
        PID:43380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        13⤵
        
        PID:44836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        14⤵
        
        PID:45692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        15⤵
        
        PID:46124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        16⤵
        
        PID:46816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        17⤵
        
        PID:47312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        18⤵
        
        PID:47828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        19⤵
        
        PID:48292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K spam.bat
        20⤵
        
        PID:1100
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs"
      4⤵
      PID:37568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:38588
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:4176
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im dwm.exe
    3⤵
    PID:10416
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /a
    3⤵
    PID:38252

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5088

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2428

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1336

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1860

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1232

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4524

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4944

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:34968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XCFODRP5\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\RSC41JKB\vcd15cbe7772f49c399c6a5babf22c1241717689176015[1].js

Filesize
19KB

MD5
ec18af6d41f6f278b6aed3bdabffa7bc

SHA1
62c9e2cab76b888829f3c5335e91c320b22329ae

SHA256
8a18d13015336bc184819a5a768447462202ef3105ec511bf42ed8304a7ed94f

SHA512
669b0e9a545057acbdd3b4c8d1d2811eaf4c776f679da1083e591ff38ae7684467abacef5af3d4aabd9fb7c335692dbca0def63ddac2cd28d8e14e95680c3511

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\19YL7BCN\favicon-32x32[1].png

Filesize
2KB

MD5
0d8537feb78f537d538779caa4abc471

SHA1
8d0db714f795fc3dea5eca5d192d2fc4865adcd4

SHA256
35094b3a104bfdbb96623f125ecedf97f8533017debf37ff1253679b01ba3458

SHA512
14bd5038f2ceb3668994b7a9c26a37aff57a8ca4387e28b69ce1e73c200c3745d0ac1868eeb2052bba7a58c1ea7e8318c280971e9d1ccfd4736117631c41e5c5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\BOIM7VU5\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\YFGA.bat

Filesize
667B

MD5
f60427e5e741f61e3b16c24f02889fe1

SHA1
1d801790a206bfea2e55f2e12d4d355ffea66a40

SHA256
a565317a649b6a75cddc82ed9a71ced7a0421978437b63a85e26e458e185f748

SHA512
4ad536974fdd4d2465815e6f97e38b83b5edef77ecd6a4f0de0ddf7158c1913d206e88a9ca3168efda76ba94fcbc9ab4e82f21d9be11e70b1f24b6f74a0eefee

Download Submit
C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy.vbs

Filesize
50B

MD5
3167d161336cbd296dc579d2295b0f22

SHA1
53253e5841e6a7a7a1b8bd08378af0a96b2f9a98

SHA256
307879bf0d9bec07bab240b5010434801fbee520c99c5a617e8ac630f42dde80

SHA512
62af8fa0c9a30ec6aa9b552fcac1879af1f00f5ceb48a77718b2a8e042e3524e2cd299f26fcde31ad8abf2dcb94d15cf45ecbce0bd5f9f93f44aca6327aa53ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\annoy2.vbs

Filesize
44B

MD5
9a2ccbd3e2f1a2382fed7674c28dd086

SHA1
b466bdd2079575c938de65285f02739143ecb170

SHA256
4519cd5997afce27129ef943f121972f7b0b34aa018e4dd408892fc5c39bb59e

SHA512
8929493211c17a8e99b908a8305dbebe2d96e1b54426e89ddba84c2010a86d7f6d0983080f29fa1ab7a0687d536c0546278b9fffe4560d84e4012f243f344d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\liquidlayers.url

Filesize
114B

MD5
48d066b44b86cb7ed07edb643ce0ea55

SHA1
65040a116d9e9877366e8ab32f9c335adbd9c1b3

SHA256
de10cab81dd679c5d760d8f773fec1b08af416e72af8ea4a9a9cbcd90256516a

SHA512
75ca79d920f2cfbdb8a62c9ce31238c04d2d0da5c52852b89a7241da77270c77d013d2c5ced24b34f380646c7feeb7557fb5febba548e140cbfb4752bd674f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\reg.reg

Filesize
25KB

MD5
aebe09cd7095ec201dc8acc350443242

SHA1
df7337e051bd02e1fdd4005b63ed45b8ca3d9726

SHA256
405d47dca73a5d6180db42e90c35931047c666ed1f1d6fab5ead6110c2356cc7

SHA512
ffc658faf04fee47c1284d439a4c5b3931d2f9bcac9b40e36f59ad0ed4917f0252e639284f817ca84a6da57552f8e0fdf96936987c3f5cf689a537e42b47288d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yfga_game_fce19327-a8d4-4ee3-a31f-dd160995e124\spam.bat

Filesize
191B

MD5
d6ff8bd495f5368f6f95b8f87209fcf3

SHA1
778cc2f726ed67fddbadac65bd07fb0bd41c8447

SHA256
f978f4281964d4128659f037b080edab8980c800fe7d675ccd4381442b3f84da

SHA512
96ff08d1db302f633b5b2f7b59618c3958fc73b9fe7e45bb3f25387d2fc151a0cd955134c8842b8e94e682bb5e5a5e8c0cd6936f26bb64df6272691985bbad9b

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
13KB

MD5
70757bb715401d58378cefa1164902c8

SHA1
bd3a062d175b954461d0f0f705520648e87836a1

SHA256
eb1bd7c706c8294fb195901c8f0c653df6850504c913484f070ce13d4159973f

SHA512
09b6d56c517f236a631c9cdd82ae997ddb44d28b9c7c458da77b279048245a7842f01543aecbfe1a3887903ace1a29e216adb5884e0f8d8ec93eb41d247ce821

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
14KB

MD5
7615dfb5f8b2cbf5c2b85d8dd8f5571c

SHA1
8f8c6e38dfa91a14f69af6453da5aad79ccf046a

SHA256
733b6d3ee008aa6721d9b712c66514407f1f3c01404d6e4cad793aeae6cf06a7

SHA512
a61eca0729d0122e931241ce8255bab67b176e1d9dd5fa5abfa7a46d6ef1724cb2a5ad21f9336436cb44dc29040cecd9b2390e064ed2d62c534211d9e4a96585

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log

Filesize
51KB

MD5
e3c449f88947195e43f71f9bf594b671

SHA1
935ee5ff05153593aaab74e0f55268e82cfecf58

SHA256
bcc6c5afefce49105581277e6fa8eab5981f00f6bbba759566510137bb934c2d

SHA512
d3ce425d26e618dd1ecf43c8653d851e856953e411d929641f826c58b8b3c55b1f5367c9ebb5feffe0f890e3f93f1857920fcf649273ee34b41717b8e7f16619

Download Submit
memory/1232-61-0x0000026F69940000-0x0000026F69A40000-memory.dmp

Filesize
1024KB

Download
memory/1336-33-0x00000241A7D20000-0x00000241A7D30000-memory.dmp

Filesize
64KB

Download
memory/1336-115-0x00000241ADFF0000-0x00000241ADFF1000-memory.dmp

Filesize
4KB

Download
memory/1336-114-0x00000241ADFE0000-0x00000241ADFE1000-memory.dmp

Filesize
4KB

Download
memory/1336-52-0x00000241A5060000-0x00000241A5062000-memory.dmp

Filesize
8KB

Download
memory/1336-17-0x00000241A7C20000-0x00000241A7C30000-memory.dmp

Filesize
64KB

Download
memory/2228-4-0x0000000005120000-0x000000000561E000-memory.dmp

Filesize
5.0MB

Download
memory/2228-0-0x000000007358E000-0x000000007358F000-memory.dmp

Filesize
4KB

Download
memory/2228-468-0x0000000073580000-0x0000000073C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2228-3-0x0000000073580000-0x0000000073C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2228-273-0x000000007358E000-0x000000007358F000-memory.dmp

Filesize
4KB

Download
memory/2228-337-0x0000000073580000-0x0000000073C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2228-2-0x0000000002570000-0x0000000002594000-memory.dmp

Filesize
144KB

Download
memory/2228-1-0x0000000000290000-0x000000000031C000-memory.dmp

Filesize
560KB

Download
memory/4524-387-0x0000015D78000000-0x0000015D78100000-memory.dmp

Filesize
1024KB

Download
memory/4524-391-0x0000015D785D0000-0x0000015D785D2000-memory.dmp

Filesize
8KB

Download
memory/4524-76-0x0000015D77800000-0x0000015D77802000-memory.dmp

Filesize
8KB

Download
memory/4524-389-0x0000015D785B0000-0x0000015D785B2000-memory.dmp

Filesize
8KB

Download
memory/4524-91-0x0000015D77E10000-0x0000015D77E12000-memory.dmp

Filesize
8KB

Download
memory/4524-81-0x0000015D778F0000-0x0000015D778F2000-memory.dmp

Filesize
8KB

Download
memory/4524-79-0x0000015D77830000-0x0000015D77832000-memory.dmp

Filesize
8KB

Download
memory/4944-355-0x0000020A71300000-0x0000020A71400000-memory.dmp

Filesize
1024KB

Download
memory/4944-223-0x0000020A71BF0000-0x0000020A71C10000-memory.dmp

Filesize
128KB

Download
memory/4944-196-0x0000020A71B50000-0x0000020A71B70000-memory.dmp

Filesize
128KB

Download
memory/4944-191-0x0000020A718C0000-0x0000020A718E0000-memory.dmp

Filesize
128KB

Download
memory/4944-147-0x0000020A61100000-0x0000020A61200000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads