18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
Size

445KB
MD5

67e92c30a2f6e1d7558d9aa3669e3be0
SHA1

da3557cccb93727aaec8b6172368bf558cb4a20d
SHA256

18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
SHA512

28f46d1ac9c9a35761cd75597f5342c0bec19f6ae3f71bee9f159a02803051d8b544e687b6f77e5cf2ffb4055a74074d84805bde9871d74fd8fa0e48eef74905
SSDEEP

12288:3xfhCD+TXbiop8VssEDqKF78vVl+KB1wwQrME+:3bxm3swK2dMI1wwGL+

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
4804	nSAwEccE.exe
4684	aocYckcs.exe
1744	xSMYQIQM.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	nSAwEccE.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aocYckcs.exe = "C:\\ProgramData\\XcAkYQQg\\aocYckcs.exe"	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nSAwEccE.exe = "C:\\Users\\Admin\\ISUQkgIc\\nSAwEccE.exe"	nSAwEccE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aocYckcs.exe = "C:\\ProgramData\\XcAkYQQg\\aocYckcs.exe"	aocYckcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aocYckcs.exe = "C:\\ProgramData\\XcAkYQQg\\aocYckcs.exe"	xSMYQIQM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nSAwEccE.exe = "C:\\Users\\Admin\\ISUQkgIc\\nSAwEccE.exe"	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\ISUQkgIc\nSAwEccE	xSMYQIQM.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	nSAwEccE.exe
File opened for modification	C:\Windows\SysWOW64\sheExportWait.png	nSAwEccE.exe
File opened for modification	C:\Windows\SysWOW64\sheFormatConfirm.png	nSAwEccE.exe
File opened for modification	C:\Windows\SysWOW64\sheHideGrant.mp3	nSAwEccE.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\ISUQkgIc	xSMYQIQM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2724	reg.exe
4928	reg.exe
3236	reg.exe
3436	reg.exe
536	reg.exe
4212	reg.exe
1392	reg.exe
2128	reg.exe
3672	reg.exe
3360	reg.exe
4268	reg.exe
4332	reg.exe
1200	reg.exe
312	reg.exe
4228	reg.exe
4124	reg.exe
4192	reg.exe
1472	reg.exe
3192	reg.exe
944	reg.exe
5080	reg.exe
1992	reg.exe
4984	reg.exe
2312	reg.exe
5004	reg.exe
4540	reg.exe
5080	reg.exe
2592	reg.exe
1404	reg.exe
4136	reg.exe
4072	reg.exe
4560	reg.exe
4060	reg.exe
3672	reg.exe
1588	reg.exe
2380	reg.exe
1108	reg.exe
4724	reg.exe
3452	reg.exe
4336	reg.exe
2424	reg.exe
4344	reg.exe
4280	reg.exe
4192	reg.exe
2244	reg.exe
4936	reg.exe
2948	reg.exe
4396	reg.exe
3136	reg.exe
1440	reg.exe
2684	reg.exe
232	reg.exe
1588	reg.exe
1572	reg.exe
4972	reg.exe
2156	reg.exe
4592	reg.exe
2968	reg.exe
520	reg.exe
5036	reg.exe
1920	reg.exe
4188	reg.exe
4056	reg.exe
3936	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2268	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
2268	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
2268	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
2268	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
5076	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
5076	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
5076	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
5076	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
4264	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
4264	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
4264	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
4264	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
4592	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
4592	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
4592	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
4592	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
3248	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
3248	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
3248	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
3248	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
1496	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
1496	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
1496	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
1496	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
2684	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
2684	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
2684	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
2684	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
2228	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
2228	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
2228	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
2228	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
1400	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
1400	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
1400	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
1400	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
784	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
784	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
784	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
784	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
4864	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
4864	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
4864	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
4864	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
660	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
660	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
660	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
660	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
2992	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
2992	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
2992	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
2992	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
3972	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
3972	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
3972	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
3972	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
832	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
832	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
832	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
832	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
1232	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
1232	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
1232	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
1232	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4804	nSAwEccE.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe
4804	nSAwEccE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 4804	2268	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	82
PID 2268 wrote to memory of 4804	2268	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	82
PID 2268 wrote to memory of 4804	2268	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	82
PID 2268 wrote to memory of 4684	2268	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	83
PID 2268 wrote to memory of 4684	2268	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	83
PID 2268 wrote to memory of 4684	2268	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	83
PID 2268 wrote to memory of 4852	2268	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	85
PID 2268 wrote to memory of 4852	2268	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	85
PID 2268 wrote to memory of 4852	2268	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	85
PID 2268 wrote to memory of 4936	2268	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	87
PID 2268 wrote to memory of 4936	2268	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	87
PID 2268 wrote to memory of 4936	2268	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	87
PID 2268 wrote to memory of 1028	2268	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	93
PID 2268 wrote to memory of 1028	2268	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	93
PID 2268 wrote to memory of 1028	2268	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	93
PID 2268 wrote to memory of 1388	2268	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	91
PID 2268 wrote to memory of 1388	2268	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	91
PID 2268 wrote to memory of 1388	2268	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	91
PID 4852 wrote to memory of 5076	4852	cmd.exe	90
PID 4852 wrote to memory of 5076	4852	cmd.exe	90
PID 4852 wrote to memory of 5076	4852	cmd.exe	90
PID 5076 wrote to memory of 3212	5076	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	94
PID 5076 wrote to memory of 3212	5076	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	94
PID 5076 wrote to memory of 3212	5076	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	94
PID 5076 wrote to memory of 4132	5076	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	96
PID 5076 wrote to memory of 4132	5076	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	96
PID 5076 wrote to memory of 4132	5076	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	96
PID 3212 wrote to memory of 4264	3212	cmd.exe	99
PID 3212 wrote to memory of 4264	3212	cmd.exe	99
PID 3212 wrote to memory of 4264	3212	cmd.exe	99
PID 5076 wrote to memory of 4124	5076	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	98
PID 5076 wrote to memory of 4124	5076	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	98
PID 5076 wrote to memory of 4124	5076	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	98
PID 5076 wrote to memory of 884	5076	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	100
PID 5076 wrote to memory of 884	5076	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	100
PID 5076 wrote to memory of 884	5076	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	100
PID 5076 wrote to memory of 4064	5076	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	102
PID 5076 wrote to memory of 4064	5076	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	102
PID 5076 wrote to memory of 4064	5076	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	102
PID 4264 wrote to memory of 4284	4264	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	105
PID 4264 wrote to memory of 4284	4264	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	105
PID 4264 wrote to memory of 4284	4264	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	105
PID 4264 wrote to memory of 832	4264	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	107
PID 4264 wrote to memory of 832	4264	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	107
PID 4264 wrote to memory of 832	4264	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	107
PID 4264 wrote to memory of 3936	4264	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	115
PID 4264 wrote to memory of 3936	4264	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	115
PID 4264 wrote to memory of 3936	4264	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	115
PID 4264 wrote to memory of 3432	4264	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	108
PID 4264 wrote to memory of 3432	4264	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	108
PID 4264 wrote to memory of 3432	4264	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	108
PID 4264 wrote to memory of 4016	4264	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	110
PID 4264 wrote to memory of 4016	4264	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	110
PID 4264 wrote to memory of 4016	4264	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	110
PID 4064 wrote to memory of 3484	4064	cmd.exe	113
PID 4064 wrote to memory of 3484	4064	cmd.exe	113
PID 4064 wrote to memory of 3484	4064	cmd.exe	113
PID 4284 wrote to memory of 4592	4284	cmd.exe	116
PID 4284 wrote to memory of 4592	4284	cmd.exe	116
PID 4284 wrote to memory of 4592	4284	cmd.exe	116
PID 4016 wrote to memory of 4396	4016	cmd.exe	117
PID 4016 wrote to memory of 4396	4016	cmd.exe	117
PID 4016 wrote to memory of 4396	4016	cmd.exe	117
PID 4592 wrote to memory of 2116	4592	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe	119

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe

C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
"C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\ISUQkgIc\nSAwEccE.exe
  "C:\Users\Admin\ISUQkgIc\nSAwEccE.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4804
- C:\ProgramData\XcAkYQQg\aocYckcs.exe
  "C:\ProgramData\XcAkYQQg\aocYckcs.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
    C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3212
    - - C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4264
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        8⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        10⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        12⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        14⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        16⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        18⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        20⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        22⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        24⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        26⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        28⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        30⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        32⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        33⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        34⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        35⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        36⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        37⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        38⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        39⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        40⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        41⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        42⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        43⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        44⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        45⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        46⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        47⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        48⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        49⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        50⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        51⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        52⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        53⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        54⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        55⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        56⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        57⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        58⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        59⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        60⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        61⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        62⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        63⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        64⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        65⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        66⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        67⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        68⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        69⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        70⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        71⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        72⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        73⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        74⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        75⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        76⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        77⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        78⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        79⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        80⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        81⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        82⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        83⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        84⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        85⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        86⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        87⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        88⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        89⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        90⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        91⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        92⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        93⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        94⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        95⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        96⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        97⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        98⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        99⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        100⤵
        
        PID:3176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        101⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        102⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        103⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        104⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        105⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        106⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        107⤵
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        108⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        109⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        110⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        111⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        112⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        113⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        114⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        115⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        116⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        117⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        118⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        119⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        120⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        121⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        122⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        123⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        124⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        125⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        126⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        127⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        128⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        129⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        130⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        131⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        132⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        133⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        134⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        135⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        136⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        137⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        138⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        139⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        140⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        141⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        142⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        143⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        144⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        145⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4"
        146⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe
        
        C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4
        147⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcIEIQck.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        146⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        Modifies registry key
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        Modifies registry key
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qMAEoUkg.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        144⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeoMgEEc.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        142⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        Modifies registry key
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smIkkYoQ.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        140⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        Modifies registry key
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PaooYMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        138⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mookUYkk.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        136⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmcgQkMM.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        134⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        Modifies registry key
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rcYkIAoA.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        132⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOscsYoc.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        130⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        Modifies registry key
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGMQAMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        128⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggoQAsso.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        126⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYUMsIAg.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        124⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaAAkUsU.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        122⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOgAQsEQ.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        120⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwUUccQM.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        118⤵
        
        PID:520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYgIAosI.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        116⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies registry key
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies registry key
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEAMcQEs.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        114⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pykQAwEU.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        112⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NiIkoIgs.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        110⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMEIUIko.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        108⤵
        
        PID:884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\picYsoYE.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        106⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        Modifies registry key
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fywAMcwk.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        104⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:4972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAUccQME.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        102⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        Modifies registry key
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGwksokI.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        100⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        Modifies registry key
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uswYccwk.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        98⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEUggIIY.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        96⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GiggAUUc.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        94⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asQQwAYM.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        92⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqswsoII.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        90⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmgcEsME.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        88⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IiwEocQk.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        86⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owkAcoME.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        84⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIoAkIks.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        82⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqUUUwUc.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        80⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:1404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKUMUwwo.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        78⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgwYsIgo.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        76⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYcQEgkg.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        74⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAwYwQUo.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        72⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DioccgUg.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        70⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOMIQssY.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        68⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKYoUsos.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        66⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        Modifies registry key
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puYgcggM.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        64⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoMkIckI.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        62⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGkgIEkU.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        60⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsgssoko.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        58⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgMYcIYE.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        56⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYscAcQo.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        54⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmgkgcwQ.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        52⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGgQgkgs.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        50⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwMogoIw.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        48⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:68
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAogwUwg.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        46⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkgIUEwI.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        44⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKIwMIUo.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        42⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amUAQQQs.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        40⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcUYIgsI.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        38⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYEEAEcM.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        36⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMsMcQAY.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        34⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies registry key
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSMIoIIk.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        32⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JSksAsMU.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        30⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies registry key
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awoMYcoU.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        28⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jwQkAskk.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        26⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOUMwIgY.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        24⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCsMEwUM.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        22⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYoowcMs.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        20⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yuwIgwgo.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        18⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tycUMcwU.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        16⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWgwgwMQ.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        14⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMgEcwEo.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        12⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LiwcUIEE.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        10⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEQQcgcg.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        8⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3960
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:832
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:3432
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksAQkEME.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4396
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:3936
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4132
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4124
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCQwgccE.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4064
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3484
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:4936
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1388
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmQIwcQE.bat" "C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4.exe""
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4060

C:\ProgramData\LscAwogc\xSMYQIQM.exe
C:\ProgramData\LscAwogc\xSMYQIQM.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\LscAwogc\xSMYQIQM.exe

Filesize
432KB

MD5
e1431e334cbeb9080a28fb23dc3facf2

SHA1
ea25157dbd76412888db65d498b77ced0f84d07c

SHA256
84082daadca573508d24d515d5f7d7d0e49f2a6f3868c2b403de0dcf75067c8b

SHA512
681a1308ce40d3b88738975778e16f7c03f76c32d3c82023ee77e3e15aab475f48c83ef8b3ce6482df4d134e302421e1ced1c52031f182248710b2fee0f2be61

Download Submit
C:\ProgramData\LscAwogc\xSMYQIQM.exe

Filesize
432KB

MD5
e1431e334cbeb9080a28fb23dc3facf2

SHA1
ea25157dbd76412888db65d498b77ced0f84d07c

SHA256
84082daadca573508d24d515d5f7d7d0e49f2a6f3868c2b403de0dcf75067c8b

SHA512
681a1308ce40d3b88738975778e16f7c03f76c32d3c82023ee77e3e15aab475f48c83ef8b3ce6482df4d134e302421e1ced1c52031f182248710b2fee0f2be61

Download Submit
C:\ProgramData\XcAkYQQg\aocYckcs.exe

Filesize
432KB

MD5
7de4b59f87e283c7e80f3d676b09b42a

SHA1
a09f056d57dee61840ef1bda644e06ca083c871a

SHA256
dd106525224acf22c7782027df682d4c96f2840c2384c235104fc51bbdff464f

SHA512
2983d8946bb74d67033965998830124c28ae7ee0fe8fbca4aa6aa78bf857c571487eef3263a5ab5ef156b8e918e61f4a301f55f38376310aee49d43c9319a670

Download Submit
C:\ProgramData\XcAkYQQg\aocYckcs.exe

Filesize
432KB

MD5
7de4b59f87e283c7e80f3d676b09b42a

SHA1
a09f056d57dee61840ef1bda644e06ca083c871a

SHA256
dd106525224acf22c7782027df682d4c96f2840c2384c235104fc51bbdff464f

SHA512
2983d8946bb74d67033965998830124c28ae7ee0fe8fbca4aa6aa78bf857c571487eef3263a5ab5ef156b8e918e61f4a301f55f38376310aee49d43c9319a670

Download Submit
C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\18fee22908ee54a524e1682b27af400d82b673e4a1e5e1b12f285bcb114d59b4

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\JOUMwIgY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JSksAsMU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LiwcUIEE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSMIoIIk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYEEAEcM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYoowcMs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TcUYIgsI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMsMcQAY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\amUAQQQs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\awoMYcoU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cCsMEwUM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gWgwgwMQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwQkAskk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEQQcgcg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksAQkEME.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tycUMcwU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wCQwgccE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMgEcwEo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuwIgwgo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\ISUQkgIc\nSAwEccE.exe

Filesize
432KB

MD5
dc805fd38cf0c6e98e85eeb335cfe33d

SHA1
80eac5f4d2272fe36398e8954dcb2b28c9e4c59e

SHA256
98453f7b08dd992b4f4ef8159200e06df22f46f23a8f1df3c09f8e329dae56ce

SHA512
3070b0dfd0522d63960aff9adc3af755c2cc3a10e9cd257033a95bea477c31c9e59033377945bcb1d15f9844198a8624744f1b76421461938452bb2a374e1134

Download Submit
C:\Users\Admin\ISUQkgIc\nSAwEccE.exe

Filesize
432KB

MD5
dc805fd38cf0c6e98e85eeb335cfe33d

SHA1
80eac5f4d2272fe36398e8954dcb2b28c9e4c59e

SHA256
98453f7b08dd992b4f4ef8159200e06df22f46f23a8f1df3c09f8e329dae56ce

SHA512
3070b0dfd0522d63960aff9adc3af755c2cc3a10e9cd257033a95bea477c31c9e59033377945bcb1d15f9844198a8624744f1b76421461938452bb2a374e1134

Download Submit
memory/208-300-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/208-280-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/372-272-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/660-250-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/784-239-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/832-260-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/832-264-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/860-289-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/860-288-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1232-268-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1372-311-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1372-310-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1400-235-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1496-201-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1744-287-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1744-143-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1776-312-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1836-306-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1924-321-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2008-307-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2028-319-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2028-320-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2072-294-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2144-293-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2184-299-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2184-298-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2228-222-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2268-140-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2268-284-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2268-305-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2684-213-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2900-276-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2992-251-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2992-253-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3148-315-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3148-314-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3248-182-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3248-187-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3472-309-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3508-301-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3608-296-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3608-295-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3972-259-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3984-308-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4056-313-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4092-322-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4232-297-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4264-159-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4264-166-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4340-302-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4344-323-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4592-179-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4604-304-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4604-303-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4684-142-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4684-286-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4756-318-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4804-141-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4804-285-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4832-317-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4864-244-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4864-246-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5052-316-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5076-156-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download